This page is a library of pertinent commands related to SSL certificates.
Key files for SSL certificate chains must not be encrypted, and must not be password protected.
Extracting certificates from .pfx files
This section focuses on extracting certificates from .pfx files, which are often provided by certification authorities, such as GoDaddy.
Extract the localhost.key from *.pfx file:
openssl pkcs12 -in [filename].pfx -out localhost.key -nodes -nocerts
Extract the localhost.crt from *.pfx file:
openssl pkcs12 -in [filename].pfx -out localhost.crt -nokeys
Convert the pkcs12 localhost.key into the correct format - RSA:
openssl rsa -in localhost.key -out localhost.key
Convert the pkcs12 localhost.crt into the correct format - x509:
openssl x509 -in localhost.crt -out localhost.crt
If the certificate is in binary format:
openssl x509 -inform DER -outform PEM -in localhost.crt -out localhost.crt
Check the contents of a crt file:
openssl x509 -in localhost.crt -text -noout
Check that crt and key match, the (stdin) should match:
openssl rsa -noout -modulus -in localhost.key | openssl md5 openssl x509 -noout -modulus -in localhost.crt | openssl md5
-bash-4.2$ openssl rsa -noout -modulus -in localhost.key | openssl md5 (stdin)= ca7a632a9cb33d5607b119822a0d6295 -bash-4.2$ openssl x509 -noout -modulus -in localhost.crt | openssl md5 (stdin)= ca7a632a9cb33d5607b119822a0d6295 -bash-4.2$
If you have any problems with the command, after copying, re-enter the
- symbols on the command line.
Add a certificate to the Matillion certificate key store
sudo /usr/lib/jvm/jre/bin/keytool -import -keystore /usr/lib/jvm/jre/lib/security/cacerts -v -alias [giveitaname] -file [nameofcert] -trustcacerts -storepass changeit -noprompt
Removing hidden windows characters from a certificate that has been copied from windows.
dos2unix [certname] [certname]
Keys should start with:
----BEGIN PRIVATE KEY---- or ----BEGIN RSA PRIVATE KEY----
And end with:
----END PRIVATE KEY---- or ----END RSA PRIVATE KEY----
You can’t just add these beginning and end tags. They will need to be converted.
Recreating self-signed certificates
sudo su - root openssl req -nodes -new -x509 -subj "/C=GB" -keyout /usr/share/tomcat/conf/localhost.key -out /usr/share/tomcat/conf/localhost.crt chown -R tomcat: /usr/share/tomcat/conf/localhost.* chmod g+w /usr/share/tomcat/conf/localhost.* service tomcat restart