OpenSSL and Keytool basics


  • Create a self-signed certificate:
    # Generate a self-signed certificate and a new private key
    openssl req -x509 -days 1825 -nodes -newkey rsa:2048 -keyout KEY.key -out CERT.crt
    -subj "/C=US/ST=Chicago/L=Town/O=Abc Inc/"
    # Generate a self-signed certificate using existing private key
    openssl req -x509 -days 365 -key KEY.key -out CERT.crt
    -subj "/C=US/O=IBM/"
    # Create a public key
    openssl rsa -in myprivate.key -pubout >
  • Generate a certificate CSR:
    # Generate CSR and create a new private key
    openssl req -new -nodes -newkey rsa:2048 -keyout NEW_KEY.key -out CERT.csr
    -subj "/C=OM/ST=Muscat/L=Muscat/O=Abc/OU=IT/"
    # Generate CSR using an existing private key
    openssl req -new -key EXISTING_KEY.key -out CERT.csr
    -subj "/C=OM/ST=Muscat/L=Muscat/O=Abc/OU=IT/"
    # Verify CSR
    openssl req -noout -text -in CERT.csr
  • List self-signed certificates:
    openssl x509 -in /tmp/mycert.pem -text -noout
    openssl x509 -inform der -in /tmp/mycert.cer -text
    openssl pkcs12 -in /tmp/mycert.p12 -password pass:mypass -nokeys
  • Convert pem to p12 and pfx:
    openssl pkcs12 -export -inkey cert.key -in cert.pem -out [cert.p12|cert.pfx]
    [-password pass:pass1234 -name mycert]
    openssl pkcs12 -info -in cert.p12 -password pass:pass1234 -nokeys
    # P.S. To import CA certs along with server cert into p12,
    # create a single pem file as
    cat cert.pem intermediate.pem root.pem > certs.pem
  • Verify server certificate expiry date and accepted client certificates:
    curl -k -v --cert example.p12 --key example.pem
    # List all server certs
    echo|openssl s_client -connect localhost:443 -showcerts
    # Show expiry dates of server SSL certificate
    echo|openssl s_client -connect localhost:443 2&>/dev/null
    | openssl x509 -noout -dates
    # Saves sever SSL certificate
    openssl s_client -showcerts -connect
  • Verify a CSR and private key:
    openssl req -noout -text -in www_mydomain_com.csr
    openssl rsa -in /tmp/mycert.key -check
  • Remove password from a private key:
    openssl rsa -in mykey.key -out mykey.key
  • Verify CSR, Private Key and the Certificate:
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in privateKey.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5
    # P.S. If the md5 hash values need to be the same for all above three commands.
  • Encode username and password using base64
    # Encode username and password using base64
    echo -n 'admin:password' | openssl base64
    # Generate a random 32 chars key
    head -c 32 /dev/urandom | base64


  • Convert/Import p12 certificate into JKS keystore:
    $JAVA_HOME/bin/keytool -importkeystore -srckeystore mycert.p12 -srcstoretype pkcs12
    -srcstorepass pass123 -destkeystore mykeystore.jks -deststorepass pass123
    [-deststoretype jks -alias mycert -destailas mycert]
  • Import trusted Intermediate or Root chain certificate into JKS keystore:
    $JAVA_HOME/bin/keytool -import -trustcacerts -alias intermediate
    -file intermediate.cer -keystore mykeystore.jks -storepass pass123 -noprompt
  • List certificates in a keystore:
    $JAVA_HOME/keytool -list -v -keystore mykeystore.jks -storepass pass123 -noprompt [-alias root]