BestHub
search
Sign in
Information Security 7 min read

Master SSL/TLS Certificates: Formats, Generation & OpenSSL Commands

This guide explains common certificate formats (PEM, DER, CRT, CER), shows how to generate a CA key, CSR, and signed certificate with OpenSSL, demonstrates format conversions, and provides commands for inspecting and verifying certificates, all essential for secure operations.

Raymond Ops
Raymond Ops
Raymond Ops
Master SSL/TLS Certificates: Formats, Generation & OpenSSL Commands

Certificate Formats Overview

Certificates can be stored either as Base64‑encoded text (PEM) or as binary data (DER). PEM files are editable with a text editor and commonly use extensions such as

.pem

,

.crt

, and

.key

. DER files are binary and use extensions like

.der

or

.cer

.

Base64 (ASCII) format – e.g., PEM, with extensions .pem , .crt , .key .

Binary format – e.g., DER, with extensions .der , .cer .

Linux typically uses

.crt

, while Windows uses

.cer

.

Key Terminology

X.509 : A universal certificate format containing the public key and algorithm information.

PKCS#1 ~ PKCS#12 : Standards for public‑key cryptography; files usually end with

.p12

(container for certificate and key).

.der : Binary storage format for certificates (less common).

.pem : Base64 text storage for certificates or keys; can hold either separately or together.

.key : PEM‑encoded private key file.

.cer / .crt : Certificate files; Linux calls them

.crt

, Windows calls them

.cer

; format may be PEM or DER.

.csr : Certificate Signing Request containing subject information (country, email, domain, etc.).

.pfx : Microsoft IIS certificate container.

.jks : Java KeyStore format used by

keytool

.

Generating a CA Certificate with OpenSSL

<code>openssl genrsa -out ca.key 2048</code>

Creates a 2048‑bit private key (

ca.key

).

<code>openssl req -new -key ca.key -out ca.csr</code>

Generates a Certificate Signing Request (

ca.csr

) and prompts for basic information.

<code>openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt</code>

Self‑signs the CSR to produce a CA certificate (

ca.crt

). After these steps you have three files:

ca.key

,

ca.csr

, and

ca.crt

.

Common Certificate Operations

<code># View certificate serial number
openssl x509 -in ca.crt -noout -serial
# Print subject in RFC2253 format
openssl x509 -in ca.crt -noout -subject
# Show MD5 fingerprint
openssl x509 -in ca.crt -noout -fingerprint
# Show SHA1 fingerprint
openssl x509 -sha1 -in ca.crt -noout -fingerprint</code>

Format Conversion

Convert between PEM and DER formats:

<code># PEM to DER
openssl x509 -inform pem -in certificate.pem -outform der -out certificate.der
# DER to PEM
openssl x509 -inform der -in certificate.der -outform pem -out certificate.pem</code>

Signing a Server Certificate with the CA

<code>openssl req -new -key server.key -out server.csr</code>

Creates a CSR for the server.

<code>openssl x509 -req -days 3000 -sha1 -extensions v3_req \
    -CA ca.crt -CAkey ca.key -CAserial ca.srl -CAcreateserial \
    -in server.csr -out server.crt</code>

Key options:

-CA : Path to the CA certificate.

-CAkey : Path to the CA private key.

-CAserial : Path to the serial number file.

-CAcreateserial : Creates a new serial file (default name ends with

.srl

).

Certificate Verification

<code>openssl verify -CAfile ca.crt server.crt
# Expected output: server.crt: OK</code>
securityOpenSSLTLSCertificatesslPEMDER
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment