Master SSL/TLS Certificates: Formats, Generation & OpenSSL Commands
This guide explains common certificate formats (PEM, DER, CRT, CER), shows how to generate a CA key, CSR, and signed certificate with OpenSSL, demonstrates format conversions, and provides commands for inspecting and verifying certificates, all essential for secure operations.
Certificate Formats Overview
Certificates can be stored either as Base64‑encoded text (PEM) or as binary data (DER). PEM files are editable with a text editor and commonly use extensions such as .pem, .crt, and .key. DER files are binary and use extensions like .der or .cer.
Base64 (ASCII) format – e.g., PEM, with extensions .pem , .crt , .key .
Binary format – e.g., DER, with extensions .der , .cer .
Linux typically uses .crt, while Windows uses .cer.
Key Terminology
X.509 : A universal certificate format containing the public key and algorithm information.
PKCS#1 ~ PKCS#12 : Standards for public‑key cryptography; files usually end with .p12 (container for certificate and key).
.der : Binary storage format for certificates (less common).
.pem : Base64 text storage for certificates or keys; can hold either separately or together.
.key : PEM‑encoded private key file.
.cer / .crt : Certificate files; Linux calls them .crt, Windows calls them .cer; format may be PEM or DER.
.csr : Certificate Signing Request containing subject information (country, email, domain, etc.).
.pfx : Microsoft IIS certificate container.
.jks : Java KeyStore format used by keytool.
Generating a CA Certificate with OpenSSL
openssl genrsa -out ca.key 2048Creates a 2048‑bit private key ( ca.key). openssl req -new -key ca.key -out ca.csr Generates a Certificate Signing Request ( ca.csr) and prompts for basic information.
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crtSelf‑signs the CSR to produce a CA certificate ( ca.crt). After these steps you have three files: ca.key, ca.csr, and ca.crt.
Common Certificate Operations
# View certificate serial number
openssl x509 -in ca.crt -noout -serial
# Print subject in RFC2253 format
openssl x509 -in ca.crt -noout -subject
# Show MD5 fingerprint
openssl x509 -in ca.crt -noout -fingerprint
# Show SHA1 fingerprint
openssl x509 -sha1 -in ca.crt -noout -fingerprintFormat Conversion
Convert between PEM and DER formats:
# PEM to DER
openssl x509 -inform pem -in certificate.pem -outform der -out certificate.der
# DER to PEM
openssl x509 -inform der -in certificate.der -outform pem -out certificate.pemSigning a Server Certificate with the CA
openssl req -new -key server.key -out server.csrCreates a CSR for the server.
openssl x509 -req -days 3000 -sha1 -extensions v3_req \
-CA ca.crt -CAkey ca.key -CAserial ca.srl -CAcreateserial \
-in server.csr -out server.crtKey options:
-CA : Path to the CA certificate.
-CAkey : Path to the CA private key.
-CAserial : Path to the serial number file.
-CAcreateserial : Creates a new serial file (default name ends with .srl).
Certificate Verification
openssl verify -CAfile ca.crt server.crt
# Expected output: server.crt: OKSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Raymond Ops
Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.