Skip to content

SSL commands

This page is a library of pertinent commands related to SSL certificates.

Key files for SSL certificate chains must not be encrypted, and must not be password protected.

Extracting certificates from .pfx files

This section focuses on extracting certificates from .pfx files, which are often provided by certification authorities, such as GoDaddy.

Extract the localhost.key from *.pfx file:

openssl pkcs12 -in [filename].pfx -out localhost.key -nodes -nocerts

Extract the localhost.crt from *.pfx file:

openssl pkcs12 -in [filename].pfx -out localhost.crt -nokeys

Converting certificates

Convert the pkcs12 localhost.key into the correct format - RSA:

openssl rsa -in localhost.key -out localhost.key

Convert the pkcs12 localhost.crt into the correct format - x509:

openssl x509 -in localhost.crt -out localhost.crt

If the certificate is in binary format:

openssl x509 -inform DER -outform PEM -in localhost.crt -out localhost.crt

Checking certificates

Check the contents of a crt file:

openssl x509 -in localhost.crt -text -noout

Check that crt and key match, the (stdin) should match:

openssl rsa -noout -modulus -in localhost.key | openssl md5
openssl x509 -noout -modulus -in localhost.crt | openssl md5

Example:

-bash-4.2$ openssl rsa -noout -modulus -in localhost.key | openssl md5
(stdin)= ca7a632a9cb33d5607b119822a0d6295
-bash-4.2$ openssl x509 -noout -modulus -in localhost.crt | openssl md5
(stdin)= ca7a632a9cb33d5607b119822a0d6295
-bash-4.2$

If you have any problems with the command, after copying, re-enter the - symbols on the command line.

Add a certificate to the Matillion certificate key store

sudo /usr/lib/jvm/jre/bin/keytool -import -keystore /usr/lib/jvm/jre/lib/security/cacerts -v -alias [giveitaname] -file [nameofcert] -trustcacerts -storepass changeit -noprompt

Other commands

Removing hidden windows characters from a certificate that has been copied from windows.

dos2unix [certname] [certname]

Keys format

Keys should start with:

----BEGIN PRIVATE KEY---- or ----BEGIN RSA PRIVATE KEY----

And end with:

----END PRIVATE KEY---- or ----END RSA PRIVATE KEY----

Note

You can't just add these beginning and end tags. They will need to be converted.

Recreating self-signed certificates

sudo su - root
openssl req -nodes -new -x509 -subj "/C=GB" -keyout /usr/share/tomcat/conf/localhost.key -out /usr/share/tomcat/conf/localhost.crt
chown -R tomcat: /usr/share/tomcat/conf/localhost.*
chmod g+w /usr/share/tomcat/conf/localhost.*
service tomcat restart
© Copyright 2024 Matillion Ltd | Legal | Privacy Policy | Disclaimer | Modern Slavery Statement