OpenSSL and Keytool basic commands

  • Create a self-signed certificate:
    • openssl  req  -x509  -nodes  -newkey rsa:2048  -days 365  -keyout mykey.key \
      -out mycert.crt  -subj “/C=US/ST=Chicago/L=Town/O=Abc Inc/
  • Generate a CSR and private key:
    • openssl req -new -nodes -newkey rsa:2048  -keyout mykey.key \
      -out mycert.csr –subj “/C=OM/ST=Muscat/L=Muscat/O=Abc/OU=IT/
  • Generate a self-signed certificate using existing private key:
    • openssl req -x509  -nodes -newkey rsa:1024 -days 1825 -key mykey.key \
      -out mycert.pem  -subj  “/C=IN/O=IBM/
    • openssl rsa -in myprivate.key -pubout >
  • List self-signed certificates:
    • openssl x509 -in /tmp/mycert2.pem -text -noout
    • openssl x509 -inform der -in /tmp/mycert.cer -text
    • openssl pkcs12 -in /tmp/mycert.p12 -password pass:passw0rd -nokeys
  • Convert pem to p12 and pfx:
    • openssl pkcs12 -export  -inkey cert.key  -in cert.pem  -out [cert.p12|cert.pfx] \
      [-password pass:pass1234 -name mycert]
    • openssl pkcs12 -info -in cert.p12 -password pass:pass1234 -nokeys
    • P.S. To import CA certs along with server cert into p12, create a single pem file as: cat cert.pem  intermediate.pem  root.pem > certs.pem
  • Verify server certificate expiry date and accepted client certificates:
    • curl -k -v –cert example.p12 –key example.pem
    • echo|openssl s_client -connect localhost:443 -showcerts   (List all server certs)
    • echo|openssl s_client -connect localhost:443 2>/dev/null | openssl x509 \
      -noout -dates  (Show expiry dates of server cert)
    • openssl s_client -showcerts -connect < /dev/null | \ openssl x509 -outform DER > derp.der   (Saves sever cert)
  • Verify a CSR and private key:
    • openssl req -noout -text -in www_mydomain_com.csr
    • openssl rsa -in /tmp/mycert.key -check
  • Remove password from a private key:
    • openssl rsa -in mykey.key -out mykey.key
  • Verify CSR, Private Key and the Certificate.
    • openssl x509 -noout -modulus -in certificate.crt | openssl md5
    • openssl rsa -noout -modulus -in privateKey.key | openssl md5
    • openssl req -noout -modulus -in CSR.csr | openssl md5
      P.S. If the md5 hash values need to be the same for all above three commands.


  • Convert/Import p12 certificate into JKS keystore:
    ./jre/bin/keytool -importkeystore -srckeystore mycert.p12 -srcstoretype pkcs12 \
    -srcstorepass pass123 -destkeystore mykeystore.jks -deststorepass pass123 \
    [deststoretype jks -alias mycert  -destailas mycert]
  • Import trusted Intermediate or Root chain certificate into JKS keystore:
    ./jre/bin/keytool -import -trustcacerts -alias intermediate -file intermediate.cer \
    -keystore mykeystore.jks -storepass pass123 -noprompt
  • List certificates in a keystore:
    ./keytool -list -v -keystore mykeystore.jks -storepass pass123 -noprompt [-alias root]



About Ishtiaque

I am IBM Certified Infrastructure Systems Architect, Linux Foundation Certified System Administrator, Oracle Certified Programmer in Java and Web Component Developer, and TOGAF 9 certified with over 10 years of support and development experience in IBM middleware software and Java. Additionally, have a sound grip in databases and OpenStack administration. I hold the following certifications: IBM Certified Infrastructure Systems Architect Linux Foundation Certified System Administrator (LFCS) TOGAF 9 Certified Oracle Certified Expert, Java EE6 Web Component Developer Oracle Certified Professional – Java 6 Programmer ITIL v3 Foundation Certified IBM Certified Solution Architect – Cloud Computing Infrastructure V1 IBM Certified System Administrator – WebSphere Portal V8, V7, V6.1, V6 IBM Certified System Administrator – WebSphere Application Server V7, V6.1 IBM Certified System Administrator – AIX V7 IBM Certified System Administrator – WebSphere MQ V7 IBM Certified Deployment Professional – Business Process Manager Advanced V7.5 IBM Certified Solution Advisor – Cloud Computing Architecture V3 IBM Certified Solution Developer – WebSphere Portal V5.1
This entry was posted in LFCE, LFCS, Linux, Security. Bookmark the permalink.