Openssl, calculate SKI from public key in certificate

Extract public key from certificate in to tempfile

openssl x509 -noout -in [cert-file] -pubkey >


openssl asn1parse -in

Extract ”clean” public key

openssl asn1parse -in -strparse 19 -out pub.der

Calculate hash of the public key

openssl dgst -c -sha1 pub.der

Tribut to xuf for

Publicerat i PKI

OpenSSL, compare certificate vs. private key

To view the certificate Modulus:

openssl x509 -noout -modulus -in [certificate-file.crt]

To view the key Modulus:

openssl rsa -noout -modulus -in [key-file.key]

Command to compare certificate vs private key

$ certMod=$(openssl x509 -text -noout -modulus -in server.crt | grep "Modulus=") && \
	keyMod=$(openssl rsa -text -noout -modulus -in server.key | grep "Modulus=") && \
	[[ $certMod == $keyMod ]] && echo "Equal"

Tribut to Peter Mescalchin magnetikonline for the script above

Publicerat i PKI

Openssl – parse certificate and crl files

Parse certificate in binary format

openssl x509 -in certfile.cer -text -noout -inform der

Parse crl in binary format

openssl crl -in crlfile.crl -text -noout -inform der

Parse PEM file with several certificates

openssl crl2pkcs7 -nocrl -certfile FILE.pem | \
openssl pkcs7 -print_certs
Publicerat i PKI

Java keytool

List certificates

keytool -list -keystore keystore.jks -v

keytool -list -keystore server.p12 -storetype PKCS12 -v

Convert from JKS to P12

keytool -importkeystore -srckeystore keystore.jks \
-srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12

Convert from P12 to JKS

keytool -importkeystore -srckeystore keystore.p12 \
-srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks

Import a root or intermediate CA certificate to an existing Java keystore

keytool -import -trustcacerts -alias rootCA -file CAcert.crt \
-keystore keystore.jks

Openssl, convert

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key \
-in certificate.crt -certfile CACert.crt
Publicerat i PKI

Openssl, s_client

Retrieve and parse certificate from server

$ echo | openssl s_client -connect servername:443 \
| openssl x509 -noout -text
 openssl s_client -CAfile ./CAcert.pem -connect servername:1636 -ssl3
 openssl s_client -connect servername:1636 -cert clientcert.cer -certform DER -key clientkey.key

Parse an ASN.1 sequence.

$ openssl asn1parse -inform DER -in sample.cer -dump
Publicerat i PKI