Output the modulus MD5 hash of the private key: Openssl x509 -noout -modulus -in name.pem | openssl md5 Output the modulus MD5 hash of the certificate: Considering these are very long strings of text and numbers, it's easier to perform an MD5 checksum and compare the hashes.
To compare whether a private key and certificate match you need to compare the modulus of both. Openssl x509 -in name.pem -noout -text Verifying Association of Private Key to Certificate Print out the contents of the certificate in human-readable format: Openssl req -in name.csr -noout -text Showing Contents of Certificates Print out the contents of the CSR in human-readable format: Openssl req -new -key -config -out name.csr Showing Contents of Certificate Signing Requests OrganizationName_default = Acme CorporationĬreate the CSR by referencing the above configuration file: OrganizationName = Organization Name (eg, company) StateOrProvinceName = State or Province Name (full name) Then you call it with OpenSSL.ĭistinguished_name = req_distinguished_nameĬountryName = Country Name (2 letter code) Openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout -out name.csr Creating Certificate Signing Requests with Subject Alternate NamesĬreating a CSR with Subject Alternate Names (SANs) requires creating a configuration file with the specifics. Openssl req -new -newkey rsa:2048 -keyout -out name.csrĬreate a CSR using SHA256 signing algorithm instead of the default SHA1: Openssl req -new -newkey rsa:2048 -nodes -keyout -out name.csrĬreate an encrypted private key and CSR in one command: Openssl x509 -x509toreq -in name.cer -signkey -out name.csrĬreate an unencrypted private key and CSR in one command: Openssl req -new -key -out name.csrĬreate a CSR based on a previously issued certificate:
Openssl rsa -in -out Creating a Certificate Signing RequestĬreate a CSR for an existing private key: Openssl genrsa -des3 -out 2048 Encrypting/Decrypting an RSA Private Key Openssl genrsa -out 2048Ĭreate a 2048 bit RSA private key that is encrypted with 3DES: inform and -outform Creating an RSA Private KeyĬreate a 2048 bit RSA private key that is unencrypted: This can be done by adding the following flags to almost any command: In the event that you are getting errors when running any OpenSSL commands, you may need to explicitly declare the input format and/or the output format. Certificate Signing Requests (CSRs) use the file extension of. RSA private and public keys use the file extension of. Typically these use the file extension of. Similarly, RSA keys have a prefix and postfix as well. The data itself is contained between a prefix of: This is very useful as you can open it in a text editor work with the data more easily. PEM is a Base64 encoding of a certificate represented in ASCII therefore it is readable as a block of text.
There are two main types of encoding of certificates DER and PEM.ĭER is a binary encoding of a certificate. A Word About Certificate Formats and Encoding So, I finally made a list of the most common use cases and commands, and now it's time to share. Over the years I have had to do a lot of repetitive tasks in OpenSSL, and I've always had to hunt down what command I needed to use.