Skip to content




# Convert a PKCS#12 file (.pfx .p12) containing a private key and cert. to PEM
#   add -nocerts to output only the private key
#   add -nokeys to output only the cert.
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

# Convert a PEM and private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile ca.crt

# Convert DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in cert.cer -out cert.pem

# Convert PEM to DER
openssl x509 -outform der -in cert.pem -out cert.der


# Generate a new CSR with private key
openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout private.key

# Generate a CSR for an existing private key
openssl req -out csr.csr -key private.key -new

# Generate a CSR based on an existing certificate
openssl x509 -x509toreq -in cert.crt -out csr.csr -signkey private.key

# Generate a self-signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out cert.crt

# Remove a passphrase from a private key
openssl rsa -in private.pem -out newprivate.pem

# Check a servers certificate
echo "" | openssl s_client -connect
echo "" | openssl s_client -showcerts -connect | openssl x509 -text -noout

Checking and Verifying⚓︎

# Verify a CSR
openssl req -text -noout -verify -in csr.csr

# Check a private key
openssl rsa -in private.key -check

# Output a text
openssl x509 -in cert.crt -text -noout

# Show a PKCS#12 file (.pfx or .p12) info
openssl pkcs12 -info -in cert.p12