Useful OpenSSL Commands
Useful OpenSSL Commands
Convert a certificate from .pem into .pkcs12 format
openssl pkcs12 -export -out mycert.p12 \
-inkey $HOME/.globus/userkey.pem \
-in $HOME/.globus/usercert.pem -name "My Certificate"
Convert a host certificate from .pkcs12 to .pem format
openssl pkcs12 -in host.domain.p12 -clcerts -nokeys -out host.domain.cert.pem
openssl pkcs12 -in host.domain.p12 -nocerts -nodes -out host.domain.key.pem
# These files should then be placed in /etc/grid-security and httpd.conf
# modified accordingly. host.domain.cert.pem can safely be world readable
# but host.domain.key.pem must only be readable by root!:
chown root.root host.domain.key.pem
chmod 0400 host.domain.key.pem
Convert a user certificate from .pkcs12 to .pem format
openssl pkcs12 -in export.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem
openssl pkcs12 -in export.p12 -nocerts -out $HOME/.globus/userkey.pem
# The user certificate can safely be world readable, but userkey.pem
# must only be readable by you!
chmod 0400 $HOME/.globus/userkey.pem
Change the passphrase of the private key
openssl rsa -in $HOME/.globus/userkey.pem -des3
# you will be prompted for the old passphrase, the new passphrase
# and to verify the new passphrase
How to extract information from the certificate?
# lots of information:
openssl x509 -text -in cert.pem
# issuer
openssl x509 -noout -in cert.pem -issuer
# to whom was it issued (subject)
openssl x509 -noout -in cert.pem -subject
# for what dates is it valid?
openssl x509 -noout -in cert.pem -dates
# what is the hash value of the certificate?
openssl x509 -noout -in cert.pem -hash
# what is the MD5 fingerprint?
openssl x509 -noout -in cert.pem -fingerprint
How to verify a certificate?
openssl verify -CApath <YOUR_TRUST_ANCHORS_DIRECTORY> cert.pem
As an example with the trust anchors installed in /etc/grid-security/certificates
openssl verify -CApath /etc/grid-security/certificates cert.pem
More information on OpenSSL
