OpenSSL - case of use and conversion
OpenSSL is a toolbox used by the main opensource software to implement SSL.- Make a pkcs12 (.pfx or .p12) from files for OpenSSL
- Transform a pkcs12 (.pfx or .p12) into individual files for apache or other OpenSSL compatible products
- OpenSSL: Make sure the certificate matches the private key?
- OpenSSL: key values mismatch
- OpenSSL: deactivate the RSA key password
- OpenSSL: 0D0890A1 or 0D0C50A1 errors - unknown message digest algorithm
- Prove control over a private key using Openssl
Cases related to SSH:
- Convert an OpenSSL/OpenSSH key to a Putty PPK file. (Requires OpenSSH and Puttygen)
- Convert a PPK to files for OpenSSH and OpenSSL (Requires OpenSSH and Puttygen)
- Use an OpenSSL key with OpenSSH (Requires OpenSSH)
- Convert a .ppk private key (Putty) to a base64/pem private key for OpenSSH or OpenSSL
Certificates conversion with OpenSSL
- PFX (#PKCS12) - Windows to PEM - Apache
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
- P7B (#PKCS7) to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
- PEM to P7B (#PKCS7)
openssl crl2pkcs7 -nocrl -output DER -certfile certificat.pem -out certificat.p7b
Note: certificate.pem is usually the result of a concatenation of your certificate and the certification chain.
Case of Chorus Pro: this service requires the inclusion of the root certificate as well (list of TBS INTERNET root certificates). For example :
cat pem-xxx-yyy.pem openssl crl2pkcs7 -nocrl -certfile pem-xxx-yyy.pem -out xxx-yyy.p7b
- Remove a password from a private encrypted key
openssl rsa -in key-file-with-password.pkey -out file-without-password.key
- DER to PEM - Apache
openssl x509 -inform der -in certificate.cer -out certificate.pem
- PEM - Apache to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
- PEM to PFX (#PKCS12) - Windows
openssl pkcs12 -export -legacy -out certificate.pfx -inkey privaye_key.key -in certificate.crt -certfile CACert.crt
- P7B to PFX (#PKCS12) - Windows
openssl pkcs7 -in p7-0123456789-1111.p7b -inform DER -out result.pem -print_certs openssl pkcs12 -export -legacy -inkey your_private_key.key -in result.pem -name my_label -out final_result.pfx
You get the "pkcs12: Unrecognized flag legacy" error?
In this case, remove the "-legacy" parameter from the commands above
The version 3 of openSSL needs the "-legacy" parameter to generate a PFX compatible with older software. The version 1 of openSSL generate a compatible PFX directly.
Technical parameters of a PFX
use the following command to display the technical parameters of a PFX for debug:
openssl pkcs12 -noout -info -in file.pfx
Useful links
- Install and use OpenSSL on Windows
- Generate a CSR on OpenSSL-based servers
- Install a certificate on OpenSSL-based servers
- Use a SSL linux / openssl client
- How to debug a certificate request with openssl?
- Which OpenSSL version to use?
- How to debug a SSL connection with OpenSSL?
- User certificate request with OpenSSL
- OpenSSL / Debian (DSA-1571) security announce
- Generate a RGS server certificate with OpenSSL
- Install a SSL / RGS certificate for DIGITECH - Airs Delib
Last edited on 01/10/2024 10:09:52 --- [search]