change key password

openssl rsa -in oldkey.pem -out newkey.pem -des3

remove a passphrase from a key

openssl rsa -in key.pem -out newkey.pem

print certificate details

openssl x509 -in cert.cert -noout -text

print contents of the private key

openssl rsa -noout -text -in cert.key

print contents of request

openssl req -noout -text -in new

print certificate details of root CA

openssl x509 -inform der -in PCA3ss_v4.509 -noout -text

print specific fields, such as the issuer

openssl x509 -in newcert.pem -noout -issuer

the hash

openssl x509 -in newcert.pem -noout -hash

email address

openssl x509 -in newcert.pem -noout -email

certificate expires

openssl x509 -in newcert.pem -noout -enddate

verify certificate

openssl verify -CAfile /ccs/export/ftp/pub/unix/network/WWW/openssl-0.9.6/certs/thawteCb.pem

To check that the public key in your cert matches the public  portion of your private key, you need to view the cert and the key and compare the numbers

openssl x509 -noout -modulus -in server.crt | openssl md5
 openssl rsa -noout -modulus -in server.key | openssl md5

create key and request with no passphrase
number of days a x509 generated by -x509 is valid for (5 years)

openssl req -new -nodes -days 1825 -out -keyout

good openssl reference

pkcs7 issue

extract a certificate out of a PKCS7 certificate supplied by Thawte

openssl pkcs7 -in -out -print_certs

Take the certificate and key in PEM format and, using openssl, create a  PKCS12 file:

openssl pkcs12 \

-export -in [my_certificate.crt] \

-inkey [my_key.key] \

-out [keystore.p12] \

-name [new_alias] \

-CAfile [my_ca_bundle.crt] \

-caname root



Published on  and maintained in Cascade CMS.