Using OpenSSL

OpenSSL is a very mighty and complex tool. This page describes only few situations where this software can help requesting and using certificates.

On Linux and Macintosh computers the OpenSSL software should always be installed. Owners of Windows computers can download the software from www.openssl.org and install it.

OpenSSL does not have a graphical user interface but is used by typing commands.

This guide describes different scenarios:

• Disassemble a digital ID (PKCS#12 file)

• Assemble a digital ID (PKCS#12 file)

• Save private key in different formats

• Save certificate in different formats

• Check TLS connection and certificates presented by server

• Create key pair and certificate request

All OpenSSL commands know the option -help and display a short help message

Disassemble a digital ID (PKCS#12 file)

To disassemble a PKCS#12 file use this command (type everything in one line):

openssl pkcs12
  -in xxx.p12
  -out xxx.pem

To extract only individual parts and to split them into individual files you can specify additional options:

• Private Key only:

  openssl pkcs12
  -in xxx.p12
  -nocerts
  -out xxx.key

• Own certificate only:

  openssl pkcs12
  -in xxx.p12
  -nokeys -clcerts
  -out xxx.crt

• Certificates of the intermediate certification authorities only:

  openssl pkcs12
  -in xxx.p12
  -nokeys -cacerts
  -out xxx.chain

You will be prompted for the password for the Digital ID and, if the private key is exported, twice for a new password to encrypt the private key in the PEM file.

Assemble a digital ID (PKCS#12 file)

A complete digital ID contains the following components:

1. the private key

   This key can be taken from the file xxx.key above.

2. the corresponding certificate with the public key

   Ths certificate is sent to you by email from the certification authority. You can save the attachment as xxx.crt.

3. the certificates of the intermediate certification authorities

   These certificates can be found either following the corresponding link in this email or simplier on the page CA certificates in the table column “X.509 chain”. You can save the file “Text (without root)” as xxx.chain.

To assemble these parts to a PKCS#12 file use this command (type everything in one line):

openssl pkcs12 -export
  -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES
  -macalg SHA1 -macsaltlen 32 -iter 2000
  -inkey xxx.key
  -in xxx.crt
  -certfile xxx.chain
  -name "New digital ID"
  -out xxx.p12

In place of New digital ID you should give name and date or similar details. Many programs use this name when displaying a list of digital IDs.

A PKCS#12 is always encrypted with a password. So you are asked both for the password of the private key file and twice for a new password for the digital ID.

The options -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg SHA1 -macsaltlen 32 -iter 2000 are basically not necessary. They specify the exact encryption methods and are selected so that the generated file is also accepted by older software without significantly reducing security.

If you are not sure which intermediate certificates you need, you can let them pick automatically. Save this file as all-ca.pem and use this command (type everything in one line):

openssl pkcs12 -export
  -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES
  -macalg SHA1 -macsaltlen 32 -iter 2000
  -inkey xxx.key
  -in xxx.crt
  -chain -CAfile all-ca.pem
  -name "New digital ID"
  -out xxx.p12

Save private key in different formats

Different software may need the private key in different formats:

Unencrypted DER file:

openssl rsa
  -inform pem -in xxx.key
  -outform der -out yyy.der

Unencrypted PEM file:

openssl rsa
  -inform pem -in xxx.key
  -outform pem -out yyy.pem

Encrypted PEM file:

openssl rsa
  -inform pem -in xxx.key
  -aes256
  -outform pem -out yyy.pem

Encrypted PEM file in PKCS#8 format:

openssl pkcs8
  -inform pem -in xxx.key
  -topk8
  -outform pem -out yyy.pem

Save certificate in different formats

Different software may need the certificate in different formats:

Unencrypted DER file (can contain only one certificate, not several):

openssl x509
  -inform pem -in xxx.crt
  -outform der -out yyy.der

For PKCS#12 files see above.

The contents of a certificate can be displayed this way:

openssl x509
  -inform pem -in xxx.crt
  -text
  -noout

Unencrypted PKCS#7 file (can contain multiple certificates):

openssl crl2pkcs7 -nocrl -outform DER
  -certfile xxx.crt
  -out yyy.p7b

The PEM file xxx.crt may contain multiple certificates and the option -certfile xxx.crt may be given multiple times. Often, an entire certificate chain including the root certificate is combined into one file this way.

Check TLS connection and certificates presented by server

openssl s_client
  -connect hostname.domain:portnumber
  -servername hostname.domain
  -showcerts

For connections working with STARTTLS the corresponding protocol must be given, e.g. for an SMTP server:

openssl s_client
  -connect hostname.domain:portnumber
  -servername hostname.domain
  -starttls smtp
  -showcerts

Create key pair and certificate request

(This method is not used for digital IDs from the UCAM.)

openssl req -new
  -newkey rsa:4096
  -nodes
  -keyout xxx.key
  -out xxx.req
  -utf8
  -subj '/C=DE/ST=Nordrhein-Westfalen/O=Universität Münster/CN=xxx.uni-muenster.de'

To save the private key encrypted with Triple DES please omit the option -nodes.