2 min read

OpenSSL conversions

OpenSSL is a toolkit for generating and working with certificates, as well as a general-purpose cryptography library. While a very powerful tool, it also means that there are a lot of options, so here are a few commands I commonly find useful. We’ll cover some common OpenSSL commands to convert between certificate formats and containers, and getting a Let’s Encrypt certificate installed.

Combine a private key (.key) and a public key (.crt) into a password protected certificate archive / PKCS #12 format (.pfx)

openssl pkcs12 -export -out site.com.pfx -inkey site_com.key -in site_com.crt

Generate a self-signed certificate and convert it into a pfx for usage in IIS

openssl req -x509 -nodes -sha256 -days 1365 -newkey rsa:4096 -keyout mysite.com.key -out mysite.crt
openssl pkcs12 -export -out mysite.pfx -inkey mysite.key -in mysite.crt

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Extract a private key and certificates from a PKCS12

openssl pkcs12 -in certificate.pfx -out keys_out.txt

Convert private key into unencrypted format

openssl rsa -in private.key -out unsecure_private.key

Getting a CA signed certificate on Ubuntu

The easiest way I can think of is to use certbot to get a web-ready certificate from Let’s Encrypt. Let’s Encrypt is a free, automated and open Certificate Authority.

Add Certbot repo

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

Install Certbot

sudo apt-get install certbot python-certbot-nginx

Get a certificate which can be installed into ngix

sudo certbot certonly --nginx

Or have it install it directly into ngix

sudo certbot --nginx

Then test automatic renewal

sudo certbot renew --dry-run

Was this post helpful?