Contents x
    SSL commands
      • Dark
        Light
      Contents

      SSL commands

        • Dark
          Light
        Article Summary

        Overview

        This page is a library of pertinent commands related to SSL certificates.

        Note

        Key files for SSL certificate chains must not be encrypted, and must not be password protected.

        Extracting certificates from .pfx files

        This section focuses on extracting certificates from .pfx files, which are often provided by certification authorities, such as GoDaddy.

        Extract the localhost.key from *.pfx file:

        openssl pkcs12 -in [filename].pfx -out localhost.key -nodes -nocerts

        Extract the localhost.crt from *.pfx file:

        openssl pkcs12 -in [filename].pfx -out localhost.crt -nokeys

        Converting certificates

        Convert the pkcs12 localhost.key into the correct format - RSA:

        openssl rsa -in localhost.key -out localhost.key

        Convert the pkcs12 localhost.crt into the correct format - x509:

        openssl x509 -in localhost.crt -out localhost.crt

        If the certificate is in binary format:

        openssl x509 -inform DER -outform PEM -in localhost.crt -out localhost.crt

        Checking certificates

        Check the contents of a crt file:

        openssl x509 -in localhost.crt -text -noout

        Check that crt and key match, the (stdin) should match:

        openssl rsa -noout -modulus -in localhost.key | openssl md5
openssl x509 -noout -modulus -in localhost.crt | openssl md5

        Example:

        -bash-4.2$ openssl rsa -noout -modulus -in localhost.key | openssl md5
(stdin)= ca7a632a9cb33d5607b119822a0d6295
-bash-4.2$ openssl x509 -noout -modulus -in localhost.crt | openssl md5
(stdin)= ca7a632a9cb33d5607b119822a0d6295
-bash-4.2$

        If you have any problems with the command, after copying, re-enter the - symbols on the command line.

        Add a certificate to the Matillion certificate key store

        sudo /usr/lib/jvm/jre/bin/keytool -import -keystore /usr/lib/jvm/jre/lib/security/cacerts -v -alias [giveitaname] -file [nameofcert] -trustcacerts -storepass changeit -noprompt

        Other commands

        Removing hidden windows characters from a certificate that has been copied from windows.

        dos2unix [certname] [certname]

        Keys format

        Keys should start with:

        ----BEGIN PRIVATE KEY---- or ----BEGIN RSA PRIVATE KEY----

        And end with:

        ----END PRIVATE KEY---- or ----END RSA PRIVATE KEY----
        Warning

        You can’t just add these beginning and end tags. They will need to be converted.

        Recreating self-signed certificates

        sudo su - root
openssl req -nodes -new -x509 -subj "/C=GB" -keyout /usr/share/tomcat/conf/localhost.key -out /usr/share/tomcat/conf/localhost.crt
chown -R tomcat: /usr/share/tomcat/conf/localhost.*
chmod g+w /usr/share/tomcat/conf/localhost.*
service tomcat restart
        What's Next