Master SSL Certificate Formats and OpenSSL Commands: A Hands‑On Guide
This tutorial explains the differences between PEM and DER certificate formats, lists common file extensions, and provides step‑by‑step OpenSSL commands for generating a CA key, creating CSRs, signing certificates, converting formats, and verifying the results.
There are two main types of certificate files: a Base64 (ASCII) text format, commonly known as PEM (extensions .pem, .crt, .key), and a binary format, commonly known as DER (extensions .der, .cer). Linux typically uses .crt files while Windows uses .cer files.
X.509 – a universal certificate format containing the holder’s public key and algorithm information.
PKCS#1 ~ PKCS#12 – standards for public‑key cryptography; files are usually stored with extensions like .p12, which bundles certificates and keys.
*.der – binary storage format for certificates (rarely used).
*.pem – Base64‑encoded text storage for certificates or keys; can store a certificate, a key, or both.
*.key – PEM‑formatted private key, typically saved with the .key extension.
*.cer / *.crt – both refer to certificates; Linux calls them .crt, Windows calls them .cer; the underlying storage can be PEM or DER.
*.csr – Certificate Signing Request, containing information such as country, email, domain, etc.
*.pfx – Microsoft IIS implementation.
*.jks – Java keytool implementation. openssl genrsa -out ca.key 2048 Generate a CA private key (extension can be .pem or .key). openssl req -new -key ca.key -out ca.csr Generate a CA certificate signing request; you will be prompted for basic information.
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crtAfter these three steps you will have three files in the directory:
ca.key<br/>ca.csr<br/>ca.crtCommon Certificate Operations
# View certificate serial number
openssl x509 -in ca.crt -noout -serial
# Print subject name in RFC2253 format
openssl x509 -in ca.crt -noout -subject
# Print MD5 fingerprint
openssl x509 -in ca.crt -noout -fingerprint
# Print SHA1 fingerprint
openssl x509 -sha1 -in ca.crt -noout -fingerprintFormat Conversion
Certificate format conversion is essentially a conversion of encoding, such as between DER and PEM.
PEM to DER:
openssl x509 -inform pem -in certificate.pem -outform der -out certificate.derDER to PEM:
openssl x509 -inform der -in certificate.der -outform pem -out certificate.pemGenerate a server certificate signing request:
openssl req -new -key server.key -out server.csrSign the server certificate using the previously created CA:
openssl x509 -req -days 3000 -sha1 -extensions v3_req -CA ca.crt -CAkey ca.key -CAserial ca.srl -CAcreateserial -in server.csr -out server.crt-CA: path to the CA certificate
-CAkey: path to the CA private key
-CAserial: path to the certificate serial number file
-CAcreateserial: create a serial number file (default name ends with .srl)
Verify the issued certificate:
openssl verify -CAfile ca.crt server.crt
# server.crt: OKSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.