Tips for using OpenSSL

When you work at a hosting provider to have to deal with SSL certificates. We create our certificate signing request from a central Linux server. This means that when there is a certificate for a a website on a Windows server that I need to use OpenSSL to create a pfx file. Pfx files are needed to import the certificates and the private key in IIS for example. With OpenSSL it is easy to create a pfx file.

Create .pfx file from certificate and private key

openssl pkcs12 -export -out domain.tld.pfx -inkey domain.tld.key -in domain.tld.cer

This command only creates a pfx file from the certificate and the private key. But most of the time you want to include the root and intermediates certificates also.

Create .pfx file from certificate, private key and root certificates

openssl pkcs12 -export -out domain.tld.pfx -inkey domain.tld.key -in domain.tld.cer -certfile root.cer -certfile intermediate.cer

Some SSL providers give you also a ca-bundle with all the correct root and intermediate certificates in it. If they do then it is better to use the ca-bundle.

openssl pkcs12 -export -out domain.tld.pfx -inkey domain.tld.key -in domain.tld.cer -certfile domain.tld.ca-bundle

Beside creating pfx files you can do a lot more useful things with OpenSSL. Below are some other commands you can use

Extract the private key from a pfx file

openssl pkcs12 -in domain.tld.pfx -nocerts -nodes -out domain.tld.key

Decode the certicate request

openssl req -in domain.tld.csr -noout -subject

Get the public key from a certificate

openssl req -in domain.tld.csr -noout -pubkey

Convert cer file to pem

openssl x509 -inform der -in domain.tld.cer -out domain.tld.pem