RSA keys and certificates with OpenSSL: Frequently used commands

This is a simple howto for manipulating PKI SSL certificates using Openssl.


RSA public/private keys for testing


Create a bundled public/private key pair

openssl genrsa  -des3  -out private-3des-2048.pem 2048


Decrypt a 3des encrypted PEM key and convert it to DER

openssl rsa -in private-3des-2048.pem -outform DER -out private-2048.der


PKI CA operations


Creating a PKI CA

  • Install openssl
  • Create a CA folder
        mkdir /CA
  • Locate the file “” and copy it in the folder CA
  • Update the “openssl.cnf” file
  • Create a new CA
     ./ -newca


Creating SSL certificates

  • Create Certificate requests
     ./ -newreq
  • Sign the requests to generate SSL certificates
      ./ -sign
  • Move the newly generated certificate, key and request
       mkdir someone ; mv new*.* ./someone/


Create pkcs12 SSL certificates

openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out certificate.p12


Other PKI operations


Importing trusted root CA SSL certificates

This is how to create OpenSSL certificate hash files and symlink the hash file to the certificate.

  • 1. Copy this script into a file under /etc/ssl/certs (e.g.
# usage: filename [filename ...]

for CERTFILE in $*; do
  # make sure file exists and is a valid cert
  test -f "$CERTFILE" || continue
  HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
  test -n "$HASH" || continue
 # use lowest available iterator for symlink
 for ITER in 0 1 2 3 4 5 6 7 8 9; do
   test -f "${HASH}.${ITER}" && continue
   ln -s "$CERTFILE" "${HASH}.${ITER}"
   test -L "${HASH}.${ITER}" && break
  • 2. Run the script filename

Where filename is a root (.pem) CA SSL certificate


Extract CA certificate (in PEM) from a client certificate

 openssl pkcs12  -in example.p12  -out cacert.pem -cacerts -nokeys


Extract (.pem) key and certificate from client .p12 certificate

 openssl pkcs12  -in example.p12 -out example-cert.pem -clcerts -nokeys
 openssl pkcs12  -in example.p12 -out example-key.pem -nocerts


Extract (.pem) CA certificate from p7b (Windows generated CA certificates)

 openssl pkcs7   -in certnew.p7b -out cacert.pem -inform DER -text -print_certs


Related articles