https://blog.builtwithcaffeine.cloud/categories/how-to/Recent content in How-To on BuiltWithCaffeineHugo -- gohugo.ioen-us- BuiltWithCaffeineSun, 03 May 2026 00:00:00 +0000https://blog.builtwithcaffeine.cloud/posts/openssl-commands-config/Sun, 03 May 2026 00:00:00 +0000https://blog.builtwithcaffeine.cloud/posts/openssl-commands-config/<p>OpenSSL is an open-source toolkit used to work with TLS/SSL, certificates, keys, and cryptographic operations.</p> <p>If you work in DevOps or platform engineering, you don&rsquo;t need to be a full-time PKI specialist to benefit from it. You just need a reliable set of commands you can use when the usual certificate tasks show up.</p> <p>In real environments, this comes up more often than people expect:</p> <ul> <li>checking if a certificate is valid or expired</li> <li>inspecting certificate details during incident response</li> <li>converting certificate formats between teams and tools</li> <li>extracting certs and keys from <code>.pfx</code> files for load balancers, ingress, or app configs</li> </ul> <p>Knowing a few practical OpenSSL commands helps you troubleshoot faster, automate safely, and avoid guesswork when security-related changes are on the critical path.</p> <p>This guide keeps it hands-on: copy/paste-ready commands, plain-English explanations, and no crypto gatekeeping.</p> <h2 id="openssl-installation">OpenSSL Installation </h2><p>First up, let&rsquo;s install OpenSSL and make sure your terminal can find it straight away.</p> <p><style> .code-switcher { position: relative; margin: 1.75rem 0; border: 1px solid var(--card-separator-color); border-radius: var(--card-border-radius); background: var(--card-background); padding: clamp(1rem, 2vw, 1.35rem); box-shadow: var(--shadow-l1); transition: box-shadow 0.2s ease, border-color 0.2s ease; } .code-switcher:hover { box-shadow: var(--shadow-l2); } [data-scheme="dark"] .code-switcher { box-shadow: none; border-color: rgba(255, 255, 255, 0.12); } .code-switcher__input { position: absolute; opacity: 0; pointer-events: none; } .code-switcher__controls-wrapper { display: flex; justify-content: flex-start; flex: 1 1 auto; min-width: 0; overflow-x: auto; scrollbar-width: none; -ms-overflow-style: none; } .code-switcher__controls-wrapper::-webkit-scrollbar { display: none; } .code-switcher__header { display: flex; align-items: flex-start; justify-content: space-between; flex-wrap: wrap; gap: 0.75rem; margin-bottom: 1rem; } .code-switcher__controls { --switch-count: 2; --switch-control-font-size: 0.95rem; --switch-control-line-height: 1.25; --switch-control-padding-y: 0.5rem; --switch-control-padding-x: 0.85rem; --switch-control-radius: calc(var(--card-border-radius) - 6px); position: relative; display: inline-flex; gap: 0.35rem; padding: 0.35rem; border-radius: calc(var(--card-border-radius) - 4px); background: rgba(0, 0, 0, 0.04); border: 1px solid var(--card-separator-color); margin-bottom: 0; flex-wrap: nowrap; justify-content: flex-start; white-space: nowrap; min-width: max-content; max-width: 100%; } [data-scheme="dark"] .code-switcher__controls { background: rgba(255, 255, 255, 0.08); border-color: rgba(255, 255, 255, 0.14); } .code-switcher__copy { display: inline-flex; align-items: center; justify-content: center; gap: 0.35rem; padding: 0.4rem 0.8rem; border-radius: var(--tag-border-radius); border: 1px solid var(--card-separator-color); background: var(--card-background); color: var(--card-text-color-main); font-weight: 600; font-size: 0.875rem; line-height: var(--switch-control-line-height); cursor: pointer; min-width: 7.25ch; margin-left: auto; align-self: flex-start; transition: background-color 0.2s ease, color 0.2s ease, box-shadow 0.2s ease, border-color 0.2s ease; } .code-switcher__copy:focus-visible, .code-switcher__label:focus-visible { outline: 2px solid var(--accent-color); outline-offset: 2px; } .code-switcher__copy:hover { background: var(--card-background-highlight, rgba(0, 0, 0, 0.05)); box-shadow: var(--shadow-l1); } [data-scheme="dark"] .code-switcher__copy { background: rgba(255, 255, 255, 0.08); border-color: rgba(255, 255, 255, 0.14); color: rgba(255, 255, 255, 0.85); } [data-scheme="dark"] .code-switcher__copy:hover { background: rgba(255, 255, 255, 0.16); color: #fff; } .code-switcher__copy:disabled, .code-switcher__copy[aria-disabled="true"] { cursor: not-allowed; opacity: 0.6; box-shadow: none; } .code-switcher__copy.is-success { background: var(--accent-color); border-color: var(--accent-color); color: var(--accent-color-text); box-shadow: var(--shadow-l2); } [data-scheme="dark"] .code-switcher__copy.is-success { background: var(--accent-color-darker); border-color: var(--accent-color-darker); color: #111; } .code-switcher__copy.is-error { background: #c62828; border-color: #c62828; color: #fff; box-shadow: var(--shadow-l2); } [data-scheme="dark"] .code-switcher__copy.is-error { background: #ef5350; border-color: #ef5350; color: #111; } .code-switcher__slider { display: none; } .code-switcher__label { display: inline-flex; flex: 1 1 auto; justify-content: center; align-items: center; min-width: 140px; padding: var(--switch-control-padding-y) var(--switch-control-padding-x); border-radius: var(--switch-control-radius); text-align: center; font-weight: 600; color: var(--card-text-color-secondary); cursor: pointer; -webkit-user-select: none; user-select: none; line-height: var(--switch-control-line-height); font-size: var(--switch-control-font-size); transition: color 0.2s ease, background-color 0.2s ease, box-shadow 0.2s ease; } [data-scheme="dark"] .code-switcher__label { color: rgba(255, 255, 255, 0.65); } .code-switcher__label:hover { color: var(--card-text-color-main); } [data-scheme="dark"] .code-switcher__label:hover { color: rgba(255, 255, 255, 0.85); } .code-switcher__label .code-switcher__label-title { display: block; font-size: 1em; } .code-switcher__label .code-switcher__label-subtitle { display: block; font-size: 0.72rem; letter-spacing: 0.04em; font-weight: 500; opacity: 0.7; text-transform: uppercase; } .code-switcher__label.is-active { background: var(--accent-color); color: var(--accent-color-text); box-shadow: var(--shadow-l2); } [data-scheme="dark"] .code-switcher__label.is-active { background: var(--accent-color-darker); color: #111; box-shadow: none; } .code-switcher__label.has-focus { outline: 2px solid var(--accent-color); outline-offset: 2px; } .code-switcher__panels { border-radius: calc(var(--card-border-radius) - 4px); overflow: clip; } .code-switcher__panel { display: none; border-radius: inherit; } .code-switcher__panel.is-active { display: block; } .code-switcher__panel .highlight { margin: 0; border-radius: inherit; position: relative; overflow-x: auto; overflow-y: hidden; -webkit-overflow-scrolling: touch; scrollbar-width: none; -ms-overflow-style: none; } .code-switcher__panel .highlight::-webkit-scrollbar { display: none; } .code-switcher__panel .highlight .chroma .lntable > tbody > tr > td:last-child { scrollbar-width: none; -ms-overflow-style: none; } .code-switcher__panel .highlight .chroma .lntable > tbody > tr > td:last-child::-webkit-scrollbar { display: none; } .code-switcher__panel pre { margin: 0; padding-block: 0.75rem; font-family: var(--code-font-family); background: var(--pre-background-color); color: var(--pre-text-color); position: relative; overflow: visible; scrollbar-width: none; -ms-overflow-style: none; } .code-switcher__sr-only { position: absolute; width: 1px; height: 1px; padding: 0; margin: -1px; overflow: hidden; clip: rect(0, 0, 0, 0); white-space: nowrap; border: 0; } .code-switcher__panel pre::-webkit-scrollbar { display: none; } .code-switcher__panel .copyCodeButton { display: none; } .code-switcher:not(.is-ready) .code-switcher__panel { display: block; } @media (max-width: 680px) { .code-switcher__header { flex-direction: column; align-items: stretch; gap: 0.65rem; } .code-switcher__controls { width: 100%; justify-content: flex-start; } .code-switcher__copy { align-self: flex-end; margin-left: 0; } .code-switcher__label { flex: 1 1 100%; min-width: auto; } } </style> <script> (function () { if (window.__codeSwitcherLoaded) { return; } window.__codeSwitcherLoaded = true; var init = function () { var switchers = document.querySelectorAll('[data-code-switcher]'); if (!switchers.length) { return; } switchers.forEach(function (wrapper) { var inputs = wrapper.querySelectorAll('.code-switcher__input'); if (!inputs.length) { return; } var labels = wrapper.querySelectorAll('.code-switcher__label'); var panels = wrapper.querySelectorAll('.code-switcher__panel'); var copyButton = wrapper.querySelector('[data-code-switch-copy]'); var statusNode = wrapper.querySelector('[data-code-switch-status]'); var copyLabel = copyButton ? (copyButton.getAttribute('data-copy-label') || copyButton.textContent || 'Copy') : 'Copy'; var copiedLabel = copyButton ? (copyButton.getAttribute('data-copied-label') || 'Copied!') : 'Copied!'; var errorLabel = copyButton ? (copyButton.getAttribute('data-error-label') || 'Error') : 'Error'; var count = inputs.length; wrapper.style.setProperty('--switch-count', count); wrapper.classList.add('is-ready'); if (copyButton) { copyButton.textContent = copyLabel; } var activeIndex = 0; var feedbackTimeout = null; var setStatus = function (message) { if (statusNode) { statusNode.textContent = message || ''; } }; var setCopyFeedback = function (state) { if (!copyButton) { return; } if (feedbackTimeout) { clearTimeout(feedbackTimeout); feedbackTimeout = null; } copyButton.classList.remove('is-success'); copyButton.classList.remove('is-error'); if (state === 'success') { copyButton.textContent = copiedLabel; copyButton.classList.add('is-success'); setStatus('Code copied to clipboard'); } else if (state === 'error') { copyButton.textContent = errorLabel; copyButton.classList.add('is-error'); setStatus('Unable to copy code to clipboard'); } else { copyButton.textContent = copyLabel; setStatus(''); } if (state === 'success' || state === 'error') { feedbackTimeout = setTimeout(function () { copyButton.textContent = copyLabel; copyButton.classList.remove('is-success'); copyButton.classList.remove('is-error'); setStatus(''); }, 1500); } }; var resolveCodeElement = function (panel) { if (!panel) { return null; } var lineTableCode = panel.querySelector('.chroma .lntable .lntd:last-child code'); if (lineTableCode) { return lineTableCode; } var preferred = panel.querySelectorAll('code[data-lang]'); if (preferred && preferred.length) { return preferred[preferred.length - 1]; } var codeNodes = panel.querySelectorAll('code'); if (codeNodes && codeNodes.length) { return codeNodes[codeNodes.length - 1]; } var preNode = panel.querySelector('pre'); return preNode || null; }; var activate = function (index) { wrapper.style.setProperty('--active-index', index); inputs.forEach(function (input, idx) { var isActive = idx === index; input.checked = isActive; if (labels[idx]) { labels[idx].classList.toggle('is-active', isActive); labels[idx].setAttribute('aria-selected', isActive ? 'true' : 'false'); labels[idx].setAttribute('tabindex', isActive ? '0' : '-1'); } if (panels[idx]) { panels[idx].classList.toggle('is-active', isActive); panels[idx].hidden = !isActive; panels[idx].setAttribute('aria-hidden', isActive ? 'false' : 'true'); } }); activeIndex = index; if (copyButton) { var activePanel = panels[index]; var codeElement = resolveCodeElement(activePanel); var clipboardAvailable = typeof navigator !== 'undefined' && navigator.clipboard && typeof navigator.clipboard.writeText === 'function'; var isDisabled = !codeElement || !clipboardAvailable; copyButton.disabled = isDisabled; copyButton.setAttribute('aria-disabled', isDisabled ? 'true' : 'false'); setCopyFeedback('default'); } }; var current = Array.prototype.findIndex.call(inputs, function (input) { return input.checked; }); if (current < 0) { current = 0; } activate(current); inputs.forEach(function (input, idx) { input.addEventListener('change', function () { if (input.checked) { activate(idx); } }); input.addEventListener('focus', function () { if (labels[idx]) { labels[idx].classList.add('has-focus'); } }); input.addEventListener('blur', function () { if (labels[idx]) { labels[idx].classList.remove('has-focus'); } }); }); labels.forEach(function (label, idx) { label.addEventListener('click', function () { if (!inputs[idx].checked) { inputs[idx].checked = true; inputs[idx].dispatchEvent(new Event('change', { bubbles: true })); } }); label.addEventListener('keydown', function (evt) { if (evt.key === 'ArrowRight' || evt.key === 'ArrowDown') { evt.preventDefault(); var next = (idx + 1) % count; inputs[next].focus(); inputs[next].checked = true; inputs[next].dispatchEvent(new Event('change', { bubbles: true })); } else if (evt.key === 'ArrowLeft' || evt.key === 'ArrowUp') { evt.preventDefault(); var prev = (idx - 1 + count) % count; inputs[prev].focus(); inputs[prev].checked = true; inputs[prev].dispatchEvent(new Event('change', { bubbles: true })); } else if (evt.key === 'Home') { evt.preventDefault(); inputs[0].focus(); inputs[0].checked = true; inputs[0].dispatchEvent(new Event('change', { bubbles: true })); } else if (evt.key === 'End') { evt.preventDefault(); inputs[count - 1].focus(); inputs[count - 1].checked = true; inputs[count - 1].dispatchEvent(new Event('change', { bubbles: true })); } else if (evt.key === 'Enter' || evt.key === ' ') { evt.preventDefault(); if (!inputs[idx].checked) { inputs[idx].checked = true; inputs[idx].dispatchEvent(new Event('change', { bubbles: true })); } } }); }); var clipboardSupported = typeof navigator !== 'undefined' && navigator.clipboard && typeof navigator.clipboard.writeText === 'function'; if (copyButton && clipboardSupported) { copyButton.addEventListener('click', function () { if (copyButton.disabled) { return; } var activePanel = panels[activeIndex]; if (!activePanel) { return; } var codeElement = resolveCodeElement(activePanel); if (!codeElement) { return; } var codeText = codeElement.innerText || codeElement.textContent || ''; if (!codeText) { return; } navigator.clipboard.writeText(codeText).then(function () { setCopyFeedback('success'); }).catch(function () { setCopyFeedback('error'); }); }); } else if (copyButton) { copyButton.disabled = true; copyButton.setAttribute('aria-disabled', 'true'); copyButton.title = 'Clipboard access is not supported in this browser'; } }); }; if (document.readyState === 'loading') { document.addEventListener('DOMContentLoaded', init, { once: true }); } else { init(); } })(); </script> <div class="code-switcher" id="openssl-install-platform" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-install-platform-selector" id="openssl-install-platform-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-install-platform-selector" id="openssl-install-platform-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-install-platform-option-0" role="tab" aria-controls="openssl-install-platform-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-install-platform-option-1" role="tab" aria-controls="openssl-install-platform-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-install-platform-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># Install OpenSSL Package</span> </span></span><span class="line"><span class="cl"><span class="n">winget</span> <span class="n">install</span> <span class="p">-</span><span class="o">-exact</span> <span class="p">-</span><span class="n">-id</span> <span class="s1">&#39;FireDaemon.OpenSSL&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Reload Environment Paths</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:Path</span> <span class="p">=</span> <span class="p">[</span><span class="no">System.Environment</span><span class="p">]::</span><span class="n">GetEnvironmentVariable</span><span class="p">(</span><span class="s1">&#39;Path&#39;</span><span class="p">,</span> <span class="s1">&#39;Machine&#39;</span><span class="p">)</span> <span class="p">+</span> <span class="s1">&#39;;&#39;</span> <span class="p">+</span> <span class="p">[</span><span class="no">System.Environment</span><span class="p">]::</span><span class="n">GetEnvironmentVariable</span><span class="p">(</span><span class="s1">&#39;Path&#39;</span><span class="p">,</span> <span class="s1">&#39;User&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Check OpenSSL Version</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">version</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-install-platform-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Install OpenSSL Package</span> </span></span><span class="line"><span class="cl">sudo apt install -y openssl </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check OpenSSL Version</span> </span></span><span class="line"><span class="cl">openssl version</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h2 id="openssl-commands">OpenSSL Commands </h2><p>The examples below use a local <code>cert-lab</code> folder so you can test safely before touching real certificates.</p> <style type="text/css"> .box-shortcode { display: flex; gap: 0.75em; padding: 1.6em; padding-top: 1.4em; line-height: 1.6; margin: 1em 0 2em; border-radius: 8px; color: #000; background: #f3ebe850; align-items: flex-start; } [data-scheme="dark"] .box-shortcode { color: #fff; background: #333; } .box-shortcode.warning { background: #ff6b6b4f; } .box-shortcode.info { background: #0089e41c; box-shadow: 3px 3px 5px #0089e410; } .box-shortcode.important { background: #f7ec2c7d; } .box-shortcode.tip { background: #a3ffa34d; box-shadow: 3px 3px 5px #0089e410; } .icon-box { display: inline-flex; flex: 0 0 auto; line-height: 1; align-self: flex-start; margin-top: 0.2em; } .icon-box svg { height: 1.2em; width: 1.2em; fill: currentColor; } .box-shortcode .box-body { flex: 1 1 auto; min-width: 0; } .box-shortcode .box-body > :first-child { margin-top: 0; } .box-shortcode .box-body > :last-child { margin-bottom: 0; } .box-shortcode .sr-only { position: absolute; width: 1px; height: 1px; padding: 0; margin: -1px; overflow: hidden; clip: rect(0, 0, 0, 0); white-space: nowrap; border: 0; } .box-shortcode :not(pre) > code { border-radius: 4px; padding: 0.15em 0.45em; background: #f1f3f5; border: 1px solid #e0e4e8; font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, "Liberation Mono", monospace; font-size: 0.85em; line-height: 1.25em; white-space: normal; display: inline-block; vertical-align: baseline; } .box-shortcode p > code, .box-shortcode li > code, .box-shortcode span > code, .box-shortcode div > code, .box-shortcode em > code, .box-shortcode strong > code { background: #f1f3f5; border: 1px solid #e0e4e8; padding: 0.15em 0.45em; border-radius: 4px; font-weight: 600; } [data-scheme="dark"] .box-shortcode :not(pre) > code { background: #2d333b; border-color: #3b424b; color: #e6edf3; } [data-scheme="dark"] .box-shortcode p > code, [data-scheme="dark"] .box-shortcode li > code, [data-scheme="dark"] .box-shortcode span > code, [data-scheme="dark"] .box-shortcode div > code, [data-scheme="dark"] .box-shortcode em > code, [data-scheme="dark"] .box-shortcode strong > code { background: #2d333b; border-color: #3b424b; color: #e6edf3; font-weight: 600; } .box-shortcode strong, .box-shortcode strong code, .box-shortcode p strong code, .box-shortcode li strong code { font-weight: 600 !important; } .box-shortcode pre, .box-shortcode .highlight { margin: 1em auto; overflow: hidden; display: block; border-radius: 6px; box-sizing: border-box; position: relative; isolation: isolate; max-width: 100%; } .box-shortcode .highlight { padding-left: 0; padding-right: 0; margin-right: 0; width: 100%; max-width: 100%; } @media (min-width: 1100px) { .box-shortcode pre, .box-shortcode .highlight { max-width: 900px; } } .box-shortcode pre code, .box-shortcode .highlight pre, .box-shortcode .highlight code { display: block; border-radius: inherit; background-clip: padding-box; margin: 0; } .box-shortcode .highlight-wrapper { margin: 1em auto; border-radius: 6px; overflow: hidden; box-sizing: border-box; isolation: isolate; max-width: 100%; } @media (min-width: 1100px) { .box-shortcode .highlight-wrapper { max-width: 900px; } } .box-shortcode .highlight-wrapper .highlight { border-radius: inherit; overflow: hidden; } .box-shortcode .highlight button.copy { position: absolute; top: 0.5em; right: 0.5em; z-index: 1; border-radius: 4px; } </style> <svg width="0" height="0" display="none" xmlns="http://www.w3.org/2000/svg"> <symbol id="tip-box" viewBox="0 0 512 512" preserveAspectRatio="xMidYMid meet"> <path d="M504 256c0 136.967-111.033 248-248 248S8 392.967 8 256 119.033 8 256 8s248 111.033 248 248zM227.314 387.314l184-184c6.248-6.248 6.248-16.379 0-22.627l-22.627-22.627c-6.248-6.249-16.379-6.249-22.628 0L216 308.118l-70.059-70.059c-6.248-6.248-16.379-6.248-22.628 0l-22.627 22.627c-6.248 6.248-6.248 16.379 0 22.627l104 104c6.249 6.249 16.379 6.249 22.628.001z"/> </symbol> <symbol id="important-box" viewBox="0 0 512 512" preserveAspectRatio="xMidYMid meet"> <path d="M504 256c0 136.997-111.043 248-248 248S8 392.997 8 256C8 119.083 119.043 8 256 8s248 111.083 248 248zm-248 50c-25.405 0-46 20.595-46 46s20.595 46 46 46 46-20.595 46-46-20.595-46-46-46zm-43.673-165.346l7.418 136c.347 6.364 5.609 11.346 11.982 11.346h48.546c6.373 0 11.635-4.982 11.982-11.346l7.418-136c.375-6.874-5.098-12.654-11.982-12.654h-63.383c-6.884 0-12.356 5.78-11.981 12.654z"/> </symbol> <symbol id="warning-box" viewBox="0 0 576 512" preserveAspectRatio="xMidYMid meet"> <path d="M569.517 440.013C587.975 472.007 564.806 512 527.94 512H48.054c-36.937 0-59.999-40.055-41.577-71.987L246.423 23.985c18.467-32.009 64.72-31.951 83.154 0l239.94 416.028zM288 354c-25.405 0-46 20.595-46 46s20.595 46 46 46 46-20.595 46-46-20.595-46-46-46zm-43.673-165.346l7.418 136c.347 6.364 5.609 11.346 11.982 11.346h48.546c6.373 0 11.635-4.982 11.982-11.346l7.418-136c.375-6.874-5.098-12.654-11.982-12.654h-63.383c-6.884 0-12.356 5.78-11.981 12.654z"/> </symbol> <symbol id="info-box" viewBox="0 0 512 512" preserveAspectRatio="xMidYMid meet"> <path d="M256 8C119.043 8 8 119.083 8 256c0 136.997 111.043 248 248 248s248-111.003 248-248C504 119.083 392.957 8 256 8zm0 110c23.196 0 42 18.804 42 42s-18.804 42-42 42-42-18.804-42-42 18.804-42 42-42zm56 254c0 6.627-5.373 12-12 12h-88c-6.627 0-12-5.373-12-12v-24c0-6.627 5.373-12 12-12h12v-64h-12c-6.627 0-12-5.373-12-12v-24c0-6.627 5.373-12 12-12h64c6.627 0 12 5.373 12 12v100h12c6.627 0 12 5.373 12 12v24z"/> </symbol> </svg><div class="box box-shortcode important" data-variant="important" role="note"> <span class="icon-box"> <span class="sr-only">Important</span> <svg><use href="#important-box"></use></svg> </span> <div class="box-body"> <p><strong>IMPORTANT</strong> <br> These examples are for local testing and learning only. Don&rsquo;t use self-signed certs in production.</p> </div> </div> <h3 id="generate-a-local-test-certificate">Generate a local test certificate </h3><p> <div class="code-switcher" id="openssl-generate-local-cert" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-generate-local-cert-selector" id="openssl-generate-local-cert-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-generate-local-cert-selector" id="openssl-generate-local-cert-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-generate-local-cert-option-0" role="tab" aria-controls="openssl-generate-local-cert-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-generate-local-cert-option-1" role="tab" aria-controls="openssl-generate-local-cert-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-generate-local-cert-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># Create a local working folder</span> </span></span><span class="line"><span class="cl"><span class="nb">New-Item</span> <span class="n">-ItemType</span> <span class="n">Directory</span> <span class="n">-Path</span> <span class="p">.\</span><span class="nb">cert-lab</span> <span class="n">-Force</span> <span class="p">|</span> <span class="nb">Out-Null</span> </span></span><span class="line"><span class="cl"><span class="nb">Set-Location</span> <span class="p">.\</span><span class="nb">cert-lab</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Generate key + self-signed cert (30 days)</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">req</span> <span class="n">-x509</span> <span class="n">-newkey</span> <span class="n">rsa</span><span class="err">:</span><span class="mf">2048</span> <span class="n">-sha256</span> <span class="n">-days</span> <span class="mf">30</span> <span class="n">-nodes</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-keyout</span> <span class="n">localhost</span><span class="p">.</span><span class="py">key</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-out</span> <span class="n">localhost</span><span class="p">.</span><span class="py">crt</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-subj</span> <span class="s2">&#34;/CN=localhost&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-addext</span> <span class="s2">&#34;subjectAltName=DNS:localhost,IP:127.0.0.1&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Quick sanity check</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">x509</span> <span class="n">-in</span> <span class="n">localhost</span><span class="p">.</span><span class="py">crt</span> <span class="n">-noout</span> <span class="n">-subject</span> <span class="n">-issuer</span> <span class="n">-dates</span> <span class="n">-ext</span> <span class="n">subjectAltName</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-generate-local-cert-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Create a local working folder</span> </span></span><span class="line"><span class="cl">mkdir -p ./cert-lab </span></span><span class="line"><span class="cl"><span class="nb">cd</span> ./cert-lab </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Generate key + self-signed cert (30 days)</span> </span></span><span class="line"><span class="cl">openssl req -x509 -newkey rsa:2048 -sha256 -days <span class="m">30</span> -nodes <span class="se">\ </span></span></span><span class="line"><span class="cl"> -keyout localhost.key <span class="se">\ </span></span></span><span class="line"><span class="cl"> -out localhost.crt <span class="se">\ </span></span></span><span class="line"><span class="cl"> -subj <span class="s2">&#34;/CN=localhost&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -addext <span class="s2">&#34;subjectAltName=DNS:localhost,IP:127.0.0.1&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Quick sanity check</span> </span></span><span class="line"><span class="cl">openssl x509 -in localhost.crt -noout -subject -issuer -dates -ext subjectAltName</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="generate-a-local-test-certificate-pfx">Generate a local test certificate pfx </h3><p>This is useful when an app, gateway, or platform expects a <code>.pfx/.p12</code> bundle.</p> <p> <div class="code-switcher" id="openssl-create-pfx" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-create-pfx-selector" id="openssl-create-pfx-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-create-pfx-selector" id="openssl-create-pfx-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-create-pfx-option-0" role="tab" aria-controls="openssl-create-pfx-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-create-pfx-option-1" role="tab" aria-controls="openssl-create-pfx-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-create-pfx-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># Create Pfx Certificate file</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">pkcs12</span> <span class="n">-export</span> <span class="n">-out</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">localhost</span><span class="p">.</span><span class="py">pfx</span> <span class="n">-inkey</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">localhost</span><span class="p">.</span><span class="py">key</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">localhost</span><span class="p">.</span><span class="py">crt</span> <span class="n">-passout</span> <span class="n">pass</span><span class="err">:</span><span class="n">ChangeMe123</span><span class="p">!</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Inspect package metadata (no key output)</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">pkcs12</span> <span class="n">-info</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">localhost</span><span class="p">.</span><span class="py">pfx</span> <span class="n">-noout</span> <span class="n">-passin</span> <span class="n">pass</span><span class="err">:</span><span class="n">ChangeMe123</span><span class="p">!</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-create-pfx-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">openssl pkcs12 -export -out ./cert-lab/localhost.pfx -inkey ./cert-lab/localhost.key -in ./cert-lab/localhost.crt -passout pass:ChangeMe123! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Inspect package metadata (no key output)</span> </span></span><span class="line"><span class="cl">openssl pkcs12 -info -in ./cert-lab/localhost.pfx -noout -passin pass:ChangeMe123!</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="inspect-certificate-details">Inspect certificate details </h3><p> <div class="code-switcher" id="openssl-inspect-cert" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-inspect-cert-selector" id="openssl-inspect-cert-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-inspect-cert-selector" id="openssl-inspect-cert-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-inspect-cert-option-0" role="tab" aria-controls="openssl-inspect-cert-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-inspect-cert-option-1" role="tab" aria-controls="openssl-inspect-cert-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-inspect-cert-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">x509</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">localhost</span><span class="p">.</span><span class="py">crt</span> <span class="n">-text</span> <span class="n">-noout</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-inspect-cert-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">openssl x509 -in ./cert-lab/localhost.crt -text -noout</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="check-expiry-and-validity-window-quickly">Check expiry and validity window quickly </h3><p> <div class="code-switcher" id="openssl-check-expiry" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-check-expiry-selector" id="openssl-check-expiry-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-check-expiry-selector" id="openssl-check-expiry-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-check-expiry-option-0" role="tab" aria-controls="openssl-check-expiry-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-check-expiry-option-1" role="tab" aria-controls="openssl-check-expiry-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-check-expiry-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># Show notBefore / notAfter</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">x509</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">localhost</span><span class="p">.</span><span class="py">crt</span> <span class="n">-noout</span> <span class="n">-dates</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Returns success if cert is valid for at least 30 more days (2,592,000 seconds)</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">x509</span> <span class="n">-checkend</span> <span class="mf">2592000</span> <span class="n">-noout</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">localhost</span><span class="p">.</span><span class="n">crt</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-check-expiry-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Show notBefore / notAfter</span> </span></span><span class="line"><span class="cl">openssl x509 -in ./cert-lab/localhost.crt -noout -dates </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Returns success if cert is valid for at least 30 more days (2,592,000 seconds)</span> </span></span><span class="line"><span class="cl">openssl x509 -checkend <span class="m">2592000</span> -noout -in ./cert-lab/localhost.crt</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="check-and-validate-a-csr">Check and validate a CSR </h3><p>Use this before submitting a request to your CA so you can catch mistakes early.</p> <p> <div class="code-switcher" id="openssl-check-csr" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-check-csr-selector" id="openssl-check-csr-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-check-csr-selector" id="openssl-check-csr-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-check-csr-option-0" role="tab" aria-controls="openssl-check-csr-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-check-csr-option-1" role="tab" aria-controls="openssl-check-csr-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-check-csr-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># Full CSR details + signature verification</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">req</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">request</span><span class="p">.</span><span class="py">csr</span> <span class="n">-noout</span> <span class="n">-text</span> <span class="n">-verify</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Quick subject check</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">req</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">request</span><span class="p">.</span><span class="py">csr</span> <span class="n">-noout</span> <span class="n">-subject</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-check-csr-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Full CSR details + signature verification</span> </span></span><span class="line"><span class="cl">openssl req -in ./cert-lab/request.csr -noout -text -verify </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Quick subject check</span> </span></span><span class="line"><span class="cl">openssl req -in ./cert-lab/request.csr -noout -subject</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="decrypt-an-encrypted-private-key-remove-passphrase">Decrypt an encrypted private key (remove passphrase) </h3><p>Use this when automation or a service account needs a non-interactive key file.</p> <div class="box box-shortcode important" data-variant="important" role="note"> <span class="icon-box"> <span class="sr-only">Important</span> <svg><use href="#important-box"></use></svg> </span> <div class="box-body"> <p><strong>IMPORTANT</strong> <br> A decrypted private key is sensitive. Lock down file permissions and only use where required.</p> </div> </div> <p> <div class="code-switcher" id="openssl-decrypt-private-key" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-decrypt-private-key-selector" id="openssl-decrypt-private-key-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-decrypt-private-key-selector" id="openssl-decrypt-private-key-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-decrypt-private-key-option-0" role="tab" aria-controls="openssl-decrypt-private-key-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-decrypt-private-key-option-1" role="tab" aria-controls="openssl-decrypt-private-key-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-decrypt-private-key-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># Convert encrypted key -&gt; unencrypted key (you will be prompted for the input key passphrase)</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">pkey</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">encrypted</span><span class="p">.</span><span class="py">key</span> <span class="n">-out</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">private</span><span class="p">.</span><span class="py">key</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Optional: confirm key is readable</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">pkey</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">private</span><span class="p">.</span><span class="py">key</span> <span class="n">-check</span> <span class="n">-noout</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-decrypt-private-key-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Convert encrypted key -&gt; unencrypted key (you will be prompted for the input key passphrase)</span> </span></span><span class="line"><span class="cl">openssl pkey -in ./cert-lab/encrypted.key -out ./cert-lab/private.key </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Optional: confirm key is readable</span> </span></span><span class="line"><span class="cl">openssl pkey -in ./cert-lab/private.key -check -noout</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="split-a-pfx-into-leaf-cert-chain-certs-and-private-key">Split a <code>.pfx</code> into leaf cert, chain certs, and private key </h3><p>This is one of the most common DevOps tasks when moving certs between systems.</p> <p> <div class="code-switcher" id="openssl-split-pfx" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-split-pfx-selector" id="openssl-split-pfx-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-split-pfx-selector" id="openssl-split-pfx-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-split-pfx-option-0" role="tab" aria-controls="openssl-split-pfx-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-split-pfx-option-1" role="tab" aria-controls="openssl-split-pfx-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-split-pfx-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># Create output folder for split artifacts</span> </span></span><span class="line"><span class="cl"><span class="nb">New-Item</span> <span class="n">-ItemType</span> <span class="n">Directory</span> <span class="n">-Path</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span> <span class="n">-Force</span> <span class="p">|</span> <span class="nb">Out-Null</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Leaf/end-entity certificate only</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">pkcs12</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">localhost</span><span class="p">.</span><span class="py">pfx</span> <span class="n">-clcerts</span> <span class="n">-nokeys</span> <span class="n">-out</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">leaf</span><span class="p">.</span><span class="py">crt</span> <span class="n">-passin</span> <span class="n">pass</span><span class="err">:</span><span class="n">ChangeMe123</span><span class="p">!</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># CA chain certificates (intermediate/root if present in bundle)</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">pkcs12</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">localhost</span><span class="p">.</span><span class="py">pfx</span> <span class="n">-cacerts</span> <span class="n">-nokeys</span> <span class="n">-out</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">chain</span><span class="p">.</span><span class="py">crt</span> <span class="n">-passin</span> <span class="n">pass</span><span class="err">:</span><span class="n">ChangeMe123</span><span class="p">!</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Private key</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">pkcs12</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">localhost</span><span class="p">.</span><span class="py">pfx</span> <span class="n">-nocerts</span> <span class="n">-nodes</span> <span class="n">-out</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">private</span><span class="p">.</span><span class="py">key</span> <span class="n">-passin</span> <span class="n">pass</span><span class="err">:</span><span class="n">ChangeMe123</span><span class="p">!</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Quick inspect: identify leaf vs chain by Subject/Issuer</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">x509</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">leaf</span><span class="p">.</span><span class="py">crt</span> <span class="n">-noout</span> <span class="n">-subject</span> <span class="n">-issuer</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># You now have split outputs in .\cert-lab\decompiled\</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-split-pfx-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Create output folder for split artifacts</span> </span></span><span class="line"><span class="cl">mkdir -p ./cert-lab/decompiled </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Leaf/end-entity certificate only</span> </span></span><span class="line"><span class="cl">openssl pkcs12 -in ./cert-lab/localhost.pfx -clcerts -nokeys -out ./cert-lab/decompiled/leaf.crt -passin pass:ChangeMe123! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># CA chain certificates (intermediate/root if present in bundle)</span> </span></span><span class="line"><span class="cl">openssl pkcs12 -in ./cert-lab/localhost.pfx -cacerts -nokeys -out ./cert-lab/decompiled/chain.crt -passin pass:ChangeMe123! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Private key</span> </span></span><span class="line"><span class="cl">openssl pkcs12 -in ./cert-lab/localhost.pfx -nocerts -nodes -out ./cert-lab/decompiled/private.key -passin pass:ChangeMe123! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Quick inspect: identify leaf vs chain by Subject/Issuer</span> </span></span><span class="line"><span class="cl">openssl x509 -in ./cert-lab/decompiled/leaf.crt -noout -subject -issuer </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># You now have split outputs in ./cert-lab/decompiled/</span></span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="verify-that-certificate--csr--private-key-match">Verify that certificate / CSR / private key match </h3><p>The safest way is to compare a hash of each public key.</p> <p>If the hashes are the same, they belong together.</p> <p> <div class="code-switcher" id="openssl-verify-key-pairing" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-verify-key-pairing-selector" id="openssl-verify-key-pairing-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-verify-key-pairing-selector" id="openssl-verify-key-pairing-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-verify-key-pairing-option-0" role="tab" aria-controls="openssl-verify-key-pairing-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-verify-key-pairing-option-1" role="tab" aria-controls="openssl-verify-key-pairing-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-verify-key-pairing-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># Cert public key fingerprint</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">x509</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">leaf</span><span class="p">.</span><span class="py">crt</span> <span class="n">-noout</span> <span class="n">-pubkey</span> <span class="p">|</span> <span class="n">openssl</span> <span class="n">pkey</span> <span class="n">-pubin</span> <span class="n">-outform</span> <span class="n">der</span> <span class="p">|</span> <span class="n">openssl</span> <span class="n">sha256</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Private key public key fingerprint</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">pkey</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">private</span><span class="p">.</span><span class="py">key</span> <span class="n">-pubout</span> <span class="n">-outform</span> <span class="n">der</span> <span class="p">|</span> <span class="n">openssl</span> <span class="n">sha256</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># CSR public key fingerprint</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">req</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">request</span><span class="p">.</span><span class="py">csr</span> <span class="n">-noout</span> <span class="n">-pubkey</span> <span class="p">|</span> <span class="n">openssl</span> <span class="n">pkey</span> <span class="n">-pubin</span> <span class="n">-outform</span> <span class="n">der</span> <span class="p">|</span> <span class="n">openssl</span> <span class="n">sha256</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-verify-key-pairing-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Cert public key fingerprint</span> </span></span><span class="line"><span class="cl">openssl x509 -in ./cert-lab/decompiled/leaf.crt -noout -pubkey <span class="p">|</span> openssl pkey -pubin -outform der <span class="p">|</span> openssl sha256 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Private key public key fingerprint</span> </span></span><span class="line"><span class="cl">openssl pkey -in ./cert-lab/decompiled/private.key -pubout -outform der <span class="p">|</span> openssl sha256 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># CSR public key fingerprint</span> </span></span><span class="line"><span class="cl">openssl req -in ./cert-lab/request.csr -noout -pubkey <span class="p">|</span> openssl pkey -pubin -outform der <span class="p">|</span> openssl sha256</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h2 id="troubleshooting-and-issues">Troubleshooting and Issues </h2><p>Even when your commands are correct, certificate tasks can fail for non-obvious reasons. Here are the issues that come up most often.</p> <h3 id="key-values-mismatch-or-cert-wont-bind-to-service">&ldquo;Key values mismatch&rdquo; or cert won&rsquo;t bind to service </h3><p><strong>Cause:</strong> The certificate and private key are from different keypairs. <br> <strong>Fix:</strong> Compare public key fingerprints from cert and key. They must match.</p> <p> <div class="code-switcher" id="openssl-troubleshoot-key-mismatch" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-troubleshoot-key-mismatch-selector" id="openssl-troubleshoot-key-mismatch-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-troubleshoot-key-mismatch-selector" id="openssl-troubleshoot-key-mismatch-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-troubleshoot-key-mismatch-option-0" role="tab" aria-controls="openssl-troubleshoot-key-mismatch-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-troubleshoot-key-mismatch-option-1" role="tab" aria-controls="openssl-troubleshoot-key-mismatch-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-troubleshoot-key-mismatch-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">x509</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">leaf</span><span class="p">.</span><span class="py">crt</span> <span class="n">-noout</span> <span class="n">-pubkey</span> <span class="p">|</span> <span class="n">openssl</span> <span class="n">pkey</span> <span class="n">-pubin</span> <span class="n">-outform</span> <span class="n">der</span> <span class="p">|</span> <span class="n">openssl</span> <span class="n">sha256</span> </span></span><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">pkey</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">private</span><span class="p">.</span><span class="py">key</span> <span class="n">-pubout</span> <span class="n">-outform</span> <span class="n">der</span> <span class="p">|</span> <span class="n">openssl</span> <span class="n">sha256</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-troubleshoot-key-mismatch-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">openssl x509 -in ./cert-lab/decompiled/leaf.crt -noout -pubkey <span class="p">|</span> openssl pkey -pubin -outform der <span class="p">|</span> openssl sha256 </span></span><span class="line"><span class="cl">openssl pkey -in ./cert-lab/decompiled/private.key -pubout -outform der <span class="p">|</span> openssl sha256</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="browserapp-says-hostname-is-invalid">Browser/app says hostname is invalid </h3><p><strong>Cause:</strong> The certificate SAN does not include the hostname you&rsquo;re using. <br> <strong>Fix:</strong> Reissue cert with the correct <code>subjectAltName</code> values (DNS/IP).</p> <p>Quick check:</p> <p> <div class="code-switcher" id="openssl-troubleshoot-san" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-troubleshoot-san-selector" id="openssl-troubleshoot-san-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-troubleshoot-san-selector" id="openssl-troubleshoot-san-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-troubleshoot-san-option-0" role="tab" aria-controls="openssl-troubleshoot-san-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-troubleshoot-san-option-1" role="tab" aria-controls="openssl-troubleshoot-san-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-troubleshoot-san-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">x509</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">leaf</span><span class="p">.</span><span class="py">crt</span> <span class="n">-noout</span> <span class="n">-ext</span> <span class="n">subjectAltName</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-troubleshoot-san-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">openssl x509 -in ./cert-lab/decompiled/leaf.crt -noout -ext subjectAltName</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="certificate-chain-errors-incomplete-chain--unknown-ca">Certificate chain errors (incomplete chain / unknown CA) </h3><p><strong>Cause:</strong> Only leaf cert is deployed, missing intermediate(s). <br> <strong>Fix:</strong> Deploy full chain in the order your platform expects (usually leaf + intermediate).</p> <p>Quick check:</p> <p> <div class="code-switcher" id="openssl-troubleshoot-chain" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-troubleshoot-chain-selector" id="openssl-troubleshoot-chain-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-troubleshoot-chain-selector" id="openssl-troubleshoot-chain-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-troubleshoot-chain-option-0" role="tab" aria-controls="openssl-troubleshoot-chain-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-troubleshoot-chain-option-1" role="tab" aria-controls="openssl-troubleshoot-chain-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-troubleshoot-chain-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">verify</span> <span class="n">-CAfile</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">chain</span><span class="p">.</span><span class="py">crt</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">leaf</span><span class="p">.</span><span class="n">crt</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-troubleshoot-chain-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">openssl verify -CAfile ./cert-lab/decompiled/chain.crt ./cert-lab/decompiled/leaf.crt</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="bad-decrypt--mac-verify-failure-when-opening-pfx">&ldquo;bad decrypt&rdquo; / &ldquo;mac verify failure&rdquo; when opening <code>.pfx</code> </h3><p><strong>Cause:</strong> Wrong password, corrupted file, or incompatible encoding/transfer. <br> <strong>Fix:</strong></p> <ul> <li>Re-check password source (watch hidden whitespace)</li> <li>Re-export PFX from original source if possible</li> <li>Re-transfer file in binary-safe mode</li> </ul> <p>Quick check:</p> <p> <div class="code-switcher" id="openssl-troubleshoot-pfx-password" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-troubleshoot-pfx-password-selector" id="openssl-troubleshoot-pfx-password-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-troubleshoot-pfx-password-selector" id="openssl-troubleshoot-pfx-password-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-troubleshoot-pfx-password-option-0" role="tab" aria-controls="openssl-troubleshoot-pfx-password-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-troubleshoot-pfx-password-option-1" role="tab" aria-controls="openssl-troubleshoot-pfx-password-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-troubleshoot-pfx-password-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">pkcs12</span> <span class="n">-info</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">localhost</span><span class="p">.</span><span class="py">pfx</span> <span class="n">-noout</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-troubleshoot-pfx-password-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">openssl pkcs12 -info -in ./cert-lab/localhost.pfx -noout</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="unable-to-load-private-key">&ldquo;unable to load private key&rdquo; </h3><p><strong>Cause:</strong> Wrong file format, encrypted key without passphrase provided, or key file damage. <br> <strong>Fix:</strong></p> <ul> <li>Try reading with <code>openssl pkey -in ...</code></li> <li>Convert to PKCS#8 if needed</li> <li>Confirm the file begins with a valid PEM header (for PEM files)</li> </ul> <p>Quick check:</p> <p> <div class="code-switcher" id="openssl-troubleshoot-load-key" data-code-switcher="2" data-code-switch-copy="true"><input type="radio" name="openssl-troubleshoot-load-key-selector" id="openssl-troubleshoot-load-key-option-0" class="code-switcher__input" checked><input type="radio" name="openssl-troubleshoot-load-key-selector" id="openssl-troubleshoot-load-key-option-1" class="code-switcher__input"><div class="code-switcher__header"> <div class="code-switcher__controls-wrapper"> <div class="code-switcher__controls" role="tablist" aria-label="Code example language tabs"><label class="code-switcher__label" for="openssl-troubleshoot-load-key-option-0" role="tab" aria-controls="openssl-troubleshoot-load-key-panel-0" aria-selected="true" tabindex="0"> <span class="code-switcher__label-title">PowerShell</span></label><label class="code-switcher__label" for="openssl-troubleshoot-load-key-option-1" role="tab" aria-controls="openssl-troubleshoot-load-key-panel-1" aria-selected="false" tabindex="-1"> <span class="code-switcher__label-title">Bash</span></label></div> </div> <button type="button" class="code-switcher__copy" data-code-switch-copy data-copy-label="Copy" data-copied-label="Copied!" data-error-label="Error" aria-label="Copy current code example"> Copy </button> <span class="code-switcher__sr-only" data-code-switch-status aria-live="polite"></span> </div> <div class="code-switcher__panels"><div class="code-switcher__panel" id="openssl-troubleshoot-load-key-panel-0" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="n">openssl</span> <span class="n">pkey</span> <span class="n">-in</span> <span class="p">.\</span><span class="nb">cert-lab</span><span class="p">\</span><span class="n">decompiled</span><span class="p">\</span><span class="n">private</span><span class="p">.</span><span class="py">key</span> <span class="n">-check</span> <span class="n">-noout</span></span></span></code></pre></td></tr></table> </div> </div></div><div class="code-switcher__panel" id="openssl-troubleshoot-load-key-panel-1" role="tabpanel"ZgotmplZ><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">openssl pkey -in ./cert-lab/decompiled/private.key -check -noout</span></span></code></pre></td></tr></table> </div> </div></div></div> </div></p> <h3 id="csr-looks-fine-but-issued-cert-is-still-wrong">CSR looks fine but issued cert is still wrong </h3><p><strong>Cause:</strong> CA template/profile overrides CSR fields (common in enterprise PKI). <br> <strong>Fix:</strong> Validate both sides:</p> <ul> <li>inspect CSR before submission</li> <li>inspect issued cert after issuance</li> <li>compare SAN/subject/key usage/extended key usage</li> </ul> <h2 id="wrap-up">Wrap Up </h2><p>OpenSSL covers a lot of ground, but most day-to-day certificate work comes down to a small set of commands you&rsquo;ll reach for repeatedly — inspecting certs, checking expiry, exporting to <code>.pfx</code>, splitting bundles, and verifying key pairs.</p> <p>The <code>cert-lab</code> setup at the start of this guide gives you a safe place to practice all of it without touching production certificates. Run through the commands, break things intentionally, and get comfortable reading the output before you need it under pressure.</p> <p>A few things worth keeping in mind:</p> <ul> <li>Always verify a cert/key pair matches before deploying</li> <li>Check SANs match the hostname your service is actually using</li> <li>When in doubt about a chain error, <code>openssl verify</code> is your first stop</li> <li>Decrypted private keys need tight file permissions — treat them like passwords</li> </ul> <p>If you hit an error not covered here, the output from <code>openssl ... -text -noout</code> usually gives you enough to work with.</p>