Useful OpenSSL Commands

Useful OpenSSL Commands

Convert a certificate from .pem into .pkcs12 format

openssl pkcs12 -export -out mycert.p12 \ -inkey $HOME/.globus/userkey.pem \ -in $HOME/.globus/usercert.pem -name "My Certificate"

Convert a host certificate from .pkcs12 to .pem format

openssl pkcs12 -in host.domain.p12 -clcerts -nokeys -out host.domain.cert.pem openssl pkcs12 -in host.domain.p12 -nocerts -nodes -out host.domain.key.pem # These files should then be placed in /etc/grid-security and httpd.conf # modified accordingly. host.domain.cert.pem can safely be world readable # but host.domain.key.pem must only be readable by root!: chown root.root host.domain.key.pem chmod 0400 host.domain.key.pem

Convert a user certificate from .pkcs12 to .pem format

openssl pkcs12 -in export.p12 -clcerts -nokeys -out $HOME/.globus/usercert.pem openssl pkcs12 -in export.p12 -nocerts -out $HOME/.globus/userkey.pem # The user certificate can safely be world readable, but userkey.pem # must only be readable by you! chmod 0400 $HOME/.globus/userkey.pem

Change the passphrase of the private key

openssl rsa -in $HOME/.globus/userkey.pem -des3 # you will be prompted for the old passphrase, the new passphrase # and to verify the new passphrase

How to extract information from the certificate?

# lots of information: openssl x509 -text -in cert.pem # issuer openssl x509 -noout -in cert.pem -issuer # to whom was it issued (subject) openssl x509 -noout -in cert.pem -subject # for what dates is it valid? openssl x509 -noout -in cert.pem -dates # what is the hash value of the certificate? openssl x509 -noout -in cert.pem -hash # what is the MD5 fingerprint? openssl x509 -noout -in cert.pem -fingerprint

How to verify a certificate?

openssl verify -CApath <YOUR_TRUST_ANCHORS_DIRECTORY> cert.pem
As an example with the trust anchors installed in /etc/grid-security/certificates
openssl verify -CApath /etc/grid-security/certificates cert.pem

More information on OpenSSL