Skip to content

SSL commands

Overview

This page is a library of pertinent commands related to SSL certificates.

:::info{title='Note'} Key files for SSL certificate chains must not be encrypted, and must not be password protected. :::

Extracting certificates from .pfx files

This section focuses on extracting certificates from .pfx files, which are often provided by certification authorities, such as GoDaddy.

Extract the localhost.key from *.pfx file:

openssl pkcs12 -in [filename].pfx -out localhost.key -nodes -nocerts

Extract the localhost.crt from *.pfx file:

openssl pkcs12 -in [filename].pfx -out localhost.crt -nokeys

Converting certificates

Convert the pkcs12 localhost.key into the correct format - RSA:

openssl rsa -in localhost.key -out localhost.key

Convert the pkcs12 localhost.crt into the correct format - x509:

openssl x509 -in localhost.crt -out localhost.crt

If the certificate is in binary format:

openssl x509 -inform DER -outform PEM -in localhost.crt -out localhost.crt

Checking certificates

Check the contents of a crt file:

openssl x509 -in localhost.crt -text -noout

Check that crt and key match, the (stdin) should match:

openssl rsa -noout -modulus -in localhost.key | openssl md5
openssl x509 -noout -modulus -in localhost.crt | openssl md5

Example:

-bash-4.2$ openssl rsa -noout -modulus -in localhost.key | openssl md5
(stdin)= ca7a632a9cb33d5607b119822a0d6295
-bash-4.2$ openssl x509 -noout -modulus -in localhost.crt | openssl md5
(stdin)= ca7a632a9cb33d5607b119822a0d6295
-bash-4.2$

If you have any problems with the command, after copying, re-enter the - symbols on the command line.

Add a certificate to the Matillion certificate key store

sudo /usr/lib/jvm/jre/bin/keytool -import -keystore /usr/lib/jvm/jre/lib/security/cacerts -v -alias [giveitaname] -file [nameofcert] -trustcacerts -storepass changeit -noprompt

Other commands

Removing hidden windows characters from a certificate that has been copied from windows.

dos2unix [certname] [certname]

Keys format

Keys should start with:

----BEGIN PRIVATE KEY---- or ----BEGIN RSA PRIVATE KEY----

And end with:

----END PRIVATE KEY---- or ----END RSA PRIVATE KEY----

:::warning{title='Warning'} You can't just add these beginning and end tags. They will need to be converted. :::

Recreating self-signed certificates

sudo su - root
openssl req -nodes -new -x509 -subj "/C=GB" -keyout /usr/share/tomcat/conf/localhost.key -out /usr/share/tomcat/conf/localhost.crt
chown -R tomcat: /usr/share/tomcat/conf/localhost.*
chmod g+w /usr/share/tomcat/conf/localhost.*
service tomcat restart