keyfilename=ec_key.pem
cert=ec_cert.crt
openssl ecparam -genkey -name prime256v1 -out $keyfilename
openssl ecparam -genkey -name secp256r1 -out $keyfilename
# List of Avail curves
openssl ecparam --list_curves
# Gen Cert:
openssl req -new -x509 -key $keyfilename -sha256 -nodes -out $cert -days 365
# Combine Private & Public in one file:
cat $keyfilename $cert > ec.pem
# verify
openssl x509 -in ec.pem -noout -text#=============================================
# Generate Key
openssl genrsa -out yourdomain.key 2048
# Output key File
cat yourdomain.key
# Validate Key
openssl rsa -text -in yourdomain.key -noout
#=============================================
# Extract Public Key
openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key
#=============================================
# Create CSR
openssl req -new -key yourdomain.key -out yourdomain.csr
#=============================================
# verify CSR
openssl req -text -in yourdomain.csr -noout -verify
# send CSR to CA:
cat yourdomain.csr
# View Cert info:
openssl x509 -text -in yourdomain.crt -noout
# Verify Public & Private Keys Match:
openssl pkey -pubout -in .\private.key | openssl sha256
openssl req -pubkey -in .\request.csr -noout | openssl sha256
openssl x509 -pubkey -in .\certificate.crt -noout | openssl sha256verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Utah, L=Lehi, O=Your Company, Inc., OU=IT, CN=yourdomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:31:71:40:81:2c:8e:fb:89:25:7c:0e:cb:76:
[...17 lines removed]
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
0b:9b:23:b5:1f:8d:c9:cd:59:bf:b7:e5:11:ab:f0:e8:b9:f6:
[...14 lines removed]openssl req -new -key yourdomain.key -out yourdomain.csr \
-subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"openssl req -new \
-newkey rsa:2048 -nodes -keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"File Formats & Cert Types
| .pem | PEM, which stands for privacy-enhanced mail | —- BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– –BEGIN CERTIFICATE REQUEST—– —–END CERTIFICATE REQUEST—– |
| p7b / pkcs#7 | Certificates in P7B/PKCS#7 formats are encoded in Base64 ASCII encoding and they usually have .p7b or .p7c as the file extension. The thing that separates PKCS#7 formatted certificates is that only certificates can be stored in this format, not private keys. In other words, a P7B file will only consist of certificates and chain certificates. | "—–BEGIN PKCS7—–” and “—–END PKCS7—–” |
| .pfx .p12 .pkcs12 | The PKCS#12 format is an archival file that stores both the certificate and the private key. | Binary File |
| der | The DER format uses ASN.1 encoding to store certificate or key information. Similar to the PEM format, DER stores key and certificate information in two separate files and typically uses the same file extensions (i.e., .key, .crt, and .csr). The DER certificate format is most commonly used in Java-based platforms. | |
| .crt | Certificate | |
| .csr | Certificate Signing Request |
The following is an excerpt from https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm:
This format is useful for migrating certificates and keys from one system to another as it contains all the necessary files. PKCS#12 files use either the .pfx or .p12 file extension.
Use the following command to convert your PEM key and certificate into the PKCS#12 format (i.e., a single .pfx file):
openssl pkcs12 -export -name "yourdomain-digicert-(expiration date)" \
-out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crtBecause the PKCS#12 format contains both the certificate and private key, you need to use two separate commands to convert a .pfx file back into the PEM format.
Use the following command to extract the private key from a PKCS#12 (.pfx) file and convert it into a PEM encoded private key:
openssl pkcs12 -in yourdomain.pfx -nocerts -out yourdomain.key -nodes
Use the following command to extract the certificate from a PKCS#12 (.pfx) file and convert it into a PEM encoded certificate:
openssl pkcs12 -in yourdomain.pfx -nokeys -clcerts -out yourdomain.crt
The DER format uses ASN.1 encoding to store certificate or key information. Similar to the PEM format, DER stores key and certificate information in two separate files and typically uses the same file extensions (i.e., .key, .crt, and .csr). The file extension .der was used in the below examples for clarity.
Use the following command to convert a PEM encoded certificate into a DER encoded certificate:
openssl x509 -inform PEM -in yourdomain.crt -outform DER -out yourdomain.der
Use the following command to convert a PEM encoded private key into a DER encoded private key:
openssl rsa -inform PEM -in yourdomain.key -outform DER -out yourdomain_key.der
Use the following command to convert a DER encoded certificate into a PEM encoded certificate:
openssl x509 -inform DER -in yourdomain.der -outform PEM -out yourdomain.crt
Use the following command to convert a DER encoded private key into a PEM encoded private key:
openssl rsa -inform DER -in yourdomain_key.der -outform PEM -out yourdomain.key
Sources: