Know the various type of SSL Commands and Key tool which are useful for successful installation of SSL Certificate.

1. Types of SSL Commands and Keytool

2. OpenSSL is an open-source implementation of SSL/TLS protocols and is considered
to be one of the most versatile SSL tools. It’s a library written in C programming
language that implements the basic cryptographic functions. OpenSSL have different
versions for most Unix-like operating systems, which include Mac OC X, Linux, and
Microsoft Windows etc.
Open SSL is normally used to generate a Certificate Signing Request (CSR) and
private key for different platforms. However, it also has several different functions,
which can be listed as follows. It is used to:
View details about a CSR or a certificate
Compare MD5 hash of a certificate and private key to ensure they match
Verify proper installation of the certificate on a website
Convert the certificate format

3. • Most of the functions mentioned below can also be performed
without involving OpenSSL by using these convenient SSL tools.
Here, we have put together few of the most common OpenSSL
commands.
1. General OpenSSL Commands
These are the set of commands that allow the users to generate
CSRs, Certificates, Private Keys and many other miscellaneous
tasks. Here, we have listed few such commands:
 Generate a Certificate Signing Request (CSR) and new private key
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout
privateKey.key

4.  Generate a self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout
privateKey.key -out certificate.crt
 Create CSR based on an existing private key
openssl req -out CSR.csr -key privateKey.key –new
 Create CSR based on an existing certificate
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey
privateKey.key
 Passphrase removal from a private key
openssl rsa -in privateKey.pem -out newPrivateKey.pem

5. 2. SSL Check Commands
These commands are very helpful, if the user wants to check the information
within an SSL certificate, a Private Key and CSR. Few online tools can also help
you check CSRs and check SSL certificates. Following are the commands that
help you check:
 Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
 Private Key
openssl rsa -in privateKey.key –check
 SSL Certificate
openssl x509 -in certificate.crt -text –noout
 PKCS#12 File (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12

6. 3. Convert Commands
As per the title, these commands help convert the certificates and keys into different formats to impart them the
compatibility with specific servers types. For example, a PEM file, compatible with Apache server, can be
converted to PFX (PKCS#12), after which it would be possible for it to work with Tomcat or IIS. However, you can
also use the SSL Converter to change the format, without having to involve OpenSSL.
 Convert DER Files (.crt, .cer, .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
 Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
 Convert PKCS #12 File (.pfx, .p12) Containing a Private Key and Certificate to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem –nodes
To output only the private key, users can add –nocerts or –nokeys to output only the certificates.
 Convert PEM Certificate (File and a Private Key) to PKCS # 12 (.pfx #12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

7. 4. Debugging Using OpenSSL Commands
If there are error messages popping up about your private key not matching the certificate or that the newly-installed
certificate is not trusted, you can rely on one of the comments mentioned below. You can also use the
SSL certificate checker tool for verifying the correct installation of an SSL certificate.
 Check SSL Connection (All certificates, including Intermediates, are to be displayed)
• Here, all the certificates should be displayed, including the Intermediates as well.
• openssl s_client -connect www.paypal.com:443
 Check MD5 Hash of Public Key
• This is to ensure that the public key matches with the CSR or the private key.
• openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5

8. SSL Keytool
• Java Keytool is a key and certificate management utility that allows the users to
cache the certificate and manage their own private or public key pairs and
certificates. Java Keytool stores all the keys and certificates in a ‘Keystore’, which
is, by default, implemented as a file. It contains private keys and certificates that
are essential for establishing the reliability of the primary certificate and
completing a chain of trust.
• Every certificate in Java Keystore has a unique pseudonym / alias. For creating a
‘Java Keystore’, you need to first create the .jks file containing only the private key
in the beginning. After that, you need to generate a Certificate Signing Request
(CSR) and generate a certificate from it. After this, import the certificate to the
keystore including any root certificates.
• The ‘Java Keytool’ basically contains several other functions that help the users
export a certificate or view the certificate details or the list of certificates in
keystore.

9. 1. For Creating and Importing
These Keytool commands allow users to create a new Java Keytool keystore file,
generate a Certificate Signing Request (CSR) and import certificates. Before you import
the primary certificate for your domain, you need to first import any root or
intermediate certificates.
 Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
 Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore
keystore.jks
 Generate a keystore and self-signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass
password -validity 360 -keysize 2048

10.  Generate Key Pair & Java Keystore
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
 Generate CSR for existing Java Keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
2. For Checking
Users can check the information within a certificate or Java keystore by using the
following commands:
 Check an individual certificate
keytool -printcert -v -file mydomain.crt
 Check certificates in Java keystore
keytool -list -v -keystore keystore.jks
 Check specific keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias mydomain

11. 3. Other Java Keytool Commands
Here are few more Java Keytool commands, which can be used to perform several
functions:
 Delete a certificate from Java Keystore keystore
keytool -delete -alias mydomain -keystore keystore.jks
 Change the password in Java keystore / Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks
 Export certificate from Java keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
 List the trusted CA Certificate
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
 Import new CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore
$JAVA_HOME/jre/lib/security/cacerts

12. For More Information on SSL Commands & Tool
Blog: cheapsslsecurity.com/blog
Facebook: CheapSSLSecurities
Twitter: SSLSecurity
Google Plus: +Cheapsslsecurity