Cyberithub

25+ Popular Examples of Openssl Commands in Linux(RedHat/CentOS 7/8)

In this article, I will take you through 25+ Popular Examples of Openssl Commands in Linux. openssl is an opensource command line tool in linux primarliy used to generate ssl certificate with the help of private key and certificate signing request(CSR) file. This tool will use OpenSSL Library to implement its tasks.In most of the Linux  systems, this tool will be installed by default.

SSL – Secure Socket Layer
CSR – Certificate Signing Request
TLS – Transport Layer Security
PEM – Privacy Enhanced Mail
DER – Distinguished Encoding Rules
SHA – Secure Hash Algorithm
PKCS – Public-Key Cryptography Standards

Why do we need SSL Certificate

SSL Certificate is used secure traffic between client and Server. It will encrypt all the communication happening between server and client and hence will make difficult for anyone trying to steal or read the data. This will safeguard the communication between server and client. Hence it is a common practice to install a SSL Certificate before putting any content in Internet through web server. Usually Port 443 will be used for secure channel communication which is also known as https Port.

25+ Popular Examples of Openssl Commands in Linux(RedHat/CentOS 7/8) 1

Openssl Commands Examples

Openssl tutorial: Generate and Install Certificate on Apache Server in 8 Easy Steps

1. Check Openssl version

If you want to check openssl commands version then you need to run openssl version command as shown below.

[root@localhost ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

2. Check another URL Certificate

To check certificate of another URL, you need to run below openssl commands. Here we are connecting Google on Port 443 and checking its SSL Certificate.

[root@localhost ~]# openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIKEDCCCPigAwIBAgIQcqkpZmmyCtYIAAAAADIKCjANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMRMw
EQYDVQQDEwpHVFMgQ0EgMU8xMB4XDTIwMDMwMzA5MzczMloXDTIwMDUyNjA5Mzcz
MlowZjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
DU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFTATBgNVBAMMDCou
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL86+gnf

3. Debug another URL Certificate

To check debug another URL certificate you need to use -tlsextdebug option with openssl commands. Here we are debugging the Google SSL Certificate.

[root@localhost ~]# openssl s_client -connect google.com:443 -tlsextdebug
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=2
0000 - 01 .
0002 - <SPACES/NULS>
TLS server extension "session ticket" (id=35), len=0
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIKEDCCCPigAwIBAgIQcqkpZmmyCtYIAAAAADIKCjANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMRMw
EQYDVQQDEwpHVFMgQ0EgMU8xMB4XDTIwMDMwMzA5MzczMloXDTIwMDUyNjA5Mzcz
MlowZjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
DU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFTATBgNVBAMMDCou
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL86+gnf
cOl+fosg2PhYtY0nCRji7IzDlLtxP+gPAxaBX4njwMD0YN306ufpKNJDhQDt8f2R
4EqflaMWqg2UZDmPUZF4DKURTHfdc9hf+AKkQy8gK048wSbcv9IGli+gkvzBYosq

4. Test SSL Certificate of another URL

If you want to check the SSL Certificate cipher of Google then you need to run below openssl commands.

[root@localhost ~]# openssl s_client -connect google.com:443 -cipher RC4-SHA
CONNECTED(00000003)
139965827106704:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 99 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1586014875
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

5. Check MD5 Hash

To check MD5 hashing of a certificate you can use below openssl commands.

[root@localhost ~]# openssl x509 -noout -modulus -in ca.crt | openssl md5
(stdin)= 97411c77be0abd568fb1611d2bee57af

6. Check SSL Certificate

To verify SSL Certificate you can use below openssl commands.

[root@localhost ~]# openssl x509 -in ca.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
93:73:2e:b2:bd:52:87:57
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=Arvin, O=Default Company Ltd, OU=PM , CN=cyberithub.local/emailAddress=test@cyberithub.local
Validity
Not Before: Apr 4 13:20:11 2020 GMT
Not After : Apr 4 13:20:11 2021 GMT
Subject: C=US, ST=California, L=Arvin, O=Default Company Ltd, OU=PM , CN=cyberithub.local/emailAddress=test@cyberithub.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:4d:d8:e5:da:bf:1f:53:ee:6d:17:e4:9e:6d:
12:cc:9f:98:73:3c:58:6c:bc:33:44:7c:1e:ae:bf:
a4:f3:55:52:1a:ba:d5:fc:0f:d2:82:4e:f2:fa:2e:
42:a5:8d:c9:43:5e:64:58:aa:63:ca:eb:1e:a6:71:
54:62:a6:66:93:78:3d:26:25:78:d8:1f:87:71:ff:
c0:c7:43:81:8e:6f:09:27:c7:f9:e5:72:97:0d:b2:
7d:e6:05:4a:b0:15:1b:4e:bd:c8:5c:c0:29:4a:54:
61:3a:8b:ce:8e:db:25:80:76:b4:2f:c0:e3:dc:d4:
39:95:fd:42:2c:ae:a0:97:6a:a9:eb:9c:bc:f2:b6:
7a:59:91:a1:ed:8f:5d:a1:61:f2:b5:6c:e6:e8:61:
1c:ed:95:71:84:1d:83:51:6d:f0:a0:e6:f1:34:5d:
74:47:df:79:02:00:ca:66:a9:dd:60:56:1b:db:59:
71:be:3a:21:13:47:d1:38:b2:25:09:0f:c5:33:9b:
a7:e3:96:0e:6e:5e:3a:a5:6b:4e:d8:a2:76:63:2f:
70:3d:f7:d8:cb:a3:0f:f4:33:16:e3:04:ef:20:57:
ee:a5:78:75:51:02:5c:39:33:c5:8d:3d:39:70:69:
6d:6a:06:54:8d:0d:5b:66:5c:b5:46:f5:01:f5:49:
a8:37
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
a3:54:62:d9:9f:61:fe:c2:0d:66:6f:df:0c:bd:85:10:0b:77:
55:8d:cd:53:d6:87:5b:8d:a0:0f:52:c5:27:c3:ba:ae:b9:e6:
6c:82:f2:9f:45:da:b9:a4:51:e1:d3:8b:9e:f8:f6:49:ff:4e:
a8:60:9b:9c:bb:9d:39:cd:05:c7:34:fa:1a:76:52:6f:0d:bd:
ce:6f:4e:f5:fe:cb:49:91:2c:d2:48:98:ef:3d:7d:c8:17:a1:
66:34:56:ec:0b:d9:af:29:c5:99:aa:2c:b7:85:6e:bb:08:fb:
6d:6a:c4:d7:fa:34:d5:98:6f:2f:d0:46:1c:51:bb:74:f6:6b:
a1:26:26:52:43:ca:4e:b5:fa:1c:15:87:a2:21:d2:6b:c0:f3:
3c:10:e7:bb:d8:48:46:d5:6a:f3:0c:b9:f2:15:89:1e:a1:71:
ae:72:72:73:9f:59:64:98:7f:f6:64:90:bf:7d:0a:6e:03:5d:
f3:1a:77:ec:f2:b4:79:95:86:85:5b:f0:9b:11:a8:fc:58:ae:
f7:49:63:f6:24:46:86:0d:c2:66:45:43:c4:3e:8f:55:c6:87:
44:cb:31:f3:1b:2e:b4:85:82:e0:e0:6d:9b:ee:00:0d:5d:01:
f0:52:54:17:cf:79:aa:a2:9c:57:91:f5:8a:64:64:77:ca:a4:
aa:95:75:d8

7. Check a Private Key

You can check(-check) a private key(-in ca.key) using below command.

[root@localhost ~]# openssl rsa -in ca.key -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArE3Y5dq/H1PubRfknm0SzJ+YczxYbLwzRHwerr+k81VSGrrV
/A/Sgk7y+i5CpY3JQ15kWKpjyusepnFUYqZmk3g9JiV42B+Hcf/Ax0OBjm8JJ8f5
5XKXDbJ95gVKsBUbTr3IXMApSlRhOovOjtslgHa0L8Dj3NQ5lf1CLK6gl2qp65y8
8rZ6WZGh7Y9doWHytWzm6GEc7ZVxhB2DUW3woObxNF10R995AgDKZqndYFYb21lx
vjohE0fROLIlCQ/FM5un45YObl46pWtO2KJ2Yy9wPffYy6MP9DMW4wTvIFfupXh1
UQJcOTPFjT05cGltagZUjQ1bZly1RvUB9UmoNwIDAQABAoIBAH3qgegvvF3Tgzi8
LjlMcmGQ++KypdgIjNqubem8aXndzxtzkC8dDPRnZ49GwTOk8wDFeUWGd1jyC7sM
tONGwU1hoCZBWhduqxe3FBVKkuIY6LLmpAt2e0bqOrEfCt60/fjEHikR0Nrd4RPc
2X1yTuybUsBXEO3vNYoTwwlOMFOVzxkWvzeHI6NTqEsMU1tJ0DbKIlzaopxPUh9C
BnC++x+1IHy44Jk8dj/qXEJIbVZhmcmsqsBw8KnnKj0VbFYgR28lIcG8I3+jhQnb
04RxhKSwiqPoES45c+46wst9X3HKomAP26QECdGcLqF8dpI2S2nWYl8auAJdTanD
fIg3VuECgYEA2ivF+RljouL1XPqat+pQ19cG+Bi0UUfEz9XG22LLZSc9UNbycMk9
lrGqgLv8PIuj6etIST7UknpCXrHUMegT2fntAG8AtsJoc0W3NN3a2onz6hq/wHVl
QOG16CDtapObwSFump/YCcTOhNv+YBy5H1/R5sHO8IVHj2inGm0S4kcCgYEAyi4f
eC959m/BmOR0vnnyxfjnRWIIgxuOHOxejBRM99SYOgJx/ioy0AEbRRqRELU6mtux
oClBG3IlbV9nor/YzuokVI6Axy4d5Yj5k7dZZmUcgPSkZmh0ZMtZyUm4p+81zX1w
8x17sDex4uEyfYud4xoj24TBaxI7Ahee4MWdkpECgYEAiqbbEG40Riaa7NZPUabW
bfW39iAtKKLFz5f64x4sSULg0uln9onOXGDZDStrKEdOirD+pZ4KlnSgjXHSe00U
oKkXF/lzqLJwkyGxRyXfmpelrhgF2RhCmzNW2gljGSJqEBlhI1+Get7aqNDvHsHi
XLAWw+JT08PAMMG/wSmkoK0CgYBj8ODFfFKBq0S721KKRaXojt1jws4KYTiiu4UR
IYfailClfEf1J87uW12rjzJeW/eYTTlEvp/cfVRa+Go2XTdDMSK8WaT20KkeqdMV
XfDnWNv6MvSBWukOWicMBVEuUmT6KyQGSXC27xET4dYfkUB+3pETFlC2KNDae+qh
mY4GwQKBgDX1+62eACyvHoL8bsS1LQgFxhY/mcLnVYITmUyltC8ZmzjtFpO3VHRB
ZkJ4RVdb1/6VBdgRFVzGefw65AnvfF6BLpZxHmvrUm336jJOnWp1ICdAb1zBCKij
I3Jnk540fkAnHKUHHA0GYSB2YBk8c83l1OKW+lIeKIm+sTMDZARl
-----END RSA PRIVATE KEY-----

8. Convert CRT to DER Format

To convert CRT(-in ca.crt) to DER(-out cert.der) format you can use below command.

[root@localhost ~]# openssl x509 -in ca.crt -outform der -out cert.der

9. Generate certificate signing request based on current certificate

Below command generates Certificate Signing request(-out example.csr) based on current certificate(-in ca.crt) and private key(-in ca.key) as shown below.

[root@localhost ~]# openssl x509 -x509toreq -in ca.crt -out example.csr -signkey ca.key
Getting request Private Key
Generating certificate request

10. Verify Certificate Signing Request

Below command verify the certificate signing request(-in CSR.csr) as shown below.

[root@localhost ~]# openssl req -text -noout -verify -in CSR.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=California, L=Arvin, O=Default Company Ltd, OU=PM , CN=cyberithub.local/emailAddress=test@cyberithub.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:4d:d8:e5:da:bf:1f:53:ee:6d:17:e4:9e:6d:
12:cc:9f:98:73:3c:58:6c:bc:33:44:7c:1e:ae:bf:
a4:f3:55:52:1a:ba:d5:fc:0f:d2:82:4e:f2:fa:2e:
42:a5:8d:c9:43:5e:64:58:aa:63:ca:eb:1e:a6:71:
54:62:a6:66:93:78:3d:26:25:78:d8:1f:87:71:ff:
c0:c7:43:81:8e:6f:09:27:c7:f9:e5:72:97:0d:b2:
7d:e6:05:4a:b0:15:1b:4e:bd:c8:5c:c0:29:4a:54:
61:3a:8b:ce:8e:db:25:80:76:b4:2f:c0:e3:dc:d4:
39:95:fd:42:2c:ae:a0:97:6a:a9:eb:9c:bc:f2:b6:
7a:59:91:a1:ed:8f:5d:a1:61:f2:b5:6c:e6:e8:61:
1c:ed:95:71:84:1d:83:51:6d:f0:a0:e6:f1:34:5d:
74:47:df:79:02:00:ca:66:a9:dd:60:56:1b:db:59:
71:be:3a:21:13:47:d1:38:b2:25:09:0f:c5:33:9b:
a7:e3:96:0e:6e:5e:3a:a5:6b:4e:d8:a2:76:63:2f:
70:3d:f7:d8:cb:a3:0f:f4:33:16:e3:04:ef:20:57:
ee:a5:78:75:51:02:5c:39:33:c5:8d:3d:39:70:69:
6d:6a:06:54:8d:0d:5b:66:5c:b5:46:f5:01:f5:49:
a8:37
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
36:82:bd:eb:11:4d:ad:1e:44:62:b4:48:27:41:a3:2b:3a:b4:
64:6e:67:5b:f6:1a:8e:65:49:1a:b7:f2:5e:aa:7e:bc:8c:bc:
cb:ec:7b:b0:3d:5b:e1:29:84:8f:35:78:b1:6c:19:1e:9a:17:
ac:de:f8:b1:a7:66:61:6b:cc:a0:98:6c:21:10:6d:9f:e7:79:
19:5d:a9:bf:bb:ed:1e:cd:63:c7:4b:6d:de:6e:22:eb:e2:3f:
6c:de:13:b5:fb:18:30:c0:fc:9b:f5:5f:a8:b0:e3:01:f1:7a:
4c:7f:39:a2:7d:d0:86:98:bc:91:49:10:41:8b:5a:80:6f:b1:
cf:6e:6b:2b:2f:c6:c3:67:b5:b9:51:db:66:72:db:e3:b8:b1:
d6:0b:32:9f:ae:0f:4a:a9:7a:3d:4d:47:e2:26:0f:f3:e7:30:
bf:5d:c6:47:3f:33:67:03:b8:e7:fb:5b:01:56:99:4c:ad:7e:
95:89:08:48:b0:9c:71:62:19:2a:f3:cd:e3:38:c3:a6:09:c2:
7f:22:15:91:d9:af:6b:4c:fe:a2:bf:54:5c:05:6d:a5:ed:ef:
8e:c4:cc:10:07:ee:c1:56:7d:0b:ad:3f:a7:92:d3:00:c0:21:
30:38:68:99:76:de:3a:fb:5b:8d:64:2a:df:a8:45:57:07:95:
34:f7:cf:2c

11. Convert CRT to PEM Format

If you get SSL certificate in CRT format(-in) then you can convert it to PEM format(-out) using below command.

[root@localhost ~]# openssl x509 -in ca.crt -out ca.pem

12. Convert CRT to CER file

If you have SSL certificate in CRT format(-in) then you can convert it to CER format(-out) using below command.

[root@localhost ~]# openssl x509 -in ca.crt -out ca.cer

13. Convert CER to PEM file

If you have SSL certificate in CER format(-in) then you can convert it to PEM format(-out) using below command.

[root@localhost ~]# openssl x509 -in ca.cer -out certificate.pem

14. Convert PEM to DER file

If you have SSL certificate in PEM format(-in) then you can convert it to PEM format(-out) using below command.

[root@localhost ~]# openssl x509 -outform der -in certificate.pem -out certificate.der

15. Encode String using base64

Sometimes you need to convert text to base64 encoding format. You can do that by using below openssl commands.

[root@localhost ~]# openssl base64 -e <<< 'Welcome to CyberITHub'
V2VsY29tZSB0byBDeWJlcklUSHViCg==

16. Decode String using base64

You can also decode the encoded baseb4 strings using below openssl commands.

[root@localhost ~]# openssl base64 -d <<< 'V2VsY29tZSB0byBDeWJlcklUSHViCg=='
Welcome to CyberITHub

17. Check all Available Ciphers

You can check all the currently available ciphers using openssl ciphers -v command as shown below.

[root@localhost ~]# openssl ciphers -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
DH-RSA-AES256-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA256
DH-DSS-AES256-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA256

18. To hash a file using MD5 Algorithm

If you want MD5 hashing of a file then you need to use below openssl commands.

[root@localhost ~]# openssl md5 file.txt
MD5(file.txt)= b04941215bcb3bad30ad3061790e7721

19. To hash a file using SHA1 Algorithm

If you want SHA1 hashing of a file then you need to use below openssl commands.

[root@localhost ~]# openssl sha1 file.txt
SHA1(file.txt)= a2d686c168445fcbcdb5c2c172c603a116bb484d

20. To hash a file using SHA384 Algorithm

If you want SHA384 hashing of a file then you need to use below openssl commands.

[root@localhost ~]# openssl sha384 file.txt
SHA384(file.txt)= b6248266a7fec68839b276a1568b1339ccb432f86aad97b897419735cc67d576ef27907a6c03a4fab8953c83d4cf43c6

21. Create a Private Key with Passphrase

Below command can be used to generate private key of 2048 bits length and using a passphrase.

[root@localhost ~]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..................+++
.............................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

22. Create a Private Key without Passphrase

Below command can be used to generate private key of 2048 bits length without using a passphrase.

[root@localhost ~]# openssl genrsa -des3 -passout pass:x -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
...+++
e is 65537 (0x10001)

23. Remove Passphrase from Private Key

If you want to decrypt the private key(-out newserver.key) based on given input key(-in server.key) then you need to use below openssl commands.

[root@localhost ~]# openssl rsa -in server.key -out newserver.key
Enter pass phrase for server.key:
writing RSA key

Check the decrypted key.

[root@localhost ~]# ls -lrt newserver.key
-rw-r--r--. 1 root root 1675 Apr 26 01:34 newserver.key

24. Create a Self Signed Certificate

Below openssl commands can be used to generate a self signed certificate(-out server.crt) for 365 days using Certificate Signing request(-in server.csr) and a private key(-signkey server.key) as shown below.

[root@localhost ~]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=California/L=San Diego/O=Example Ltd/OU=IT/CN=server.localhost/emailAddress=abc@server.com
Getting Private key
Enter pass phrase for server.key:

Check the Generated Certificate.

[root@localhost ~]# ls -lrt server.crt
-rw-r--r--. 1 root root 1322 Apr 26 01:38 server.crt

25. Convert PEM to PKCS#12 Format

Below command can be used to convert PEM format(-inkey server.key) to PKCS#12(-out server.pfx) format using below command.

[root@localhost ~]# openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile serverCA.crt
Enter pass phrase for server.key:
Enter Export Password:
Verifying - Enter Export Password:

Check the generated output file.

[root@localhost ~]# ls -lrt server.pfx
-rw-r--r--. 1 root root 3517 Apr 26 01:45 server.pfx

 

 

Popular Recommendations:-

5 Easy Steps to Black List Kernel Module in RedHat/ CentOS 7/8

How to Enable or Disable SELinux Temporarily or Permanently on RedHat/CentOS 7/8

10 Popular Examples of sudo command in Linux(RedHat/CentOS 7/8)

9 useful w command in Linux with Examples

12 Most Popular rm command in Linux with Examples

26 Useful Firewall CMD Examples on RedHat/CentOS 7

Leave a Comment