T
openssl certificates ssl security devops

The Comprehensive Guide to OpenSSL: Certificates and Keys

Master OpenSSL for certificate and key management. Learn about self-signed certificates, CSR generation, format conversion (PEM, DER, P12), and SSL decoding with our OpenSSL cheat sheet.

2026-04-12

The Comprehensive Guide to OpenSSL: Certificates and Keys

OpenSSL is the Swiss Army knife of cryptography. Whether you are generating a new SSL certificate for your website, converting a key between different formats, or debugging a certificate chain issue, OpenSSL is the tool you will use. However, its command-line interface is notoriously complex.

This guide provides a clear path through the most common OpenSSL tasks, from generating your first self-signed certificate to performing advanced conversions.

1. Generating Certificates and Requests

Before you can have a certificate, you need to generate a key and often a Certificate Signing Request (CSR).

CSR Generator Online

While a CSR generator online is a quick way to create a request, it's safer to generate it locally so your private key never leaves your server. A CSR contains information about your organization and the public key you want to have signed by a Certificate Authority (CA).

Self-Signed Certificate Generator

For internal testing or staging environments, a self-signed certificate generator is often sufficient. It allows you to create a certificate that isn't trusted by public browsers but is functionally identical for encrypted communication.

OpenSSL Cheat Sheet: Key Generation

  • Generate an RSA Private Key: openssl genrsa -out private.key 2048
  • Generate a CSR: openssl req -new -key private.key -out request.csr
  • Generate a Self-Signed Certificate: openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt

2. Format Conversion

Different platforms and servers require different certificate formats.

PEM to DER and DER to PEM Converter

  • PEM: The most common format, usually .crt or .pem. It's base64-encoded and contains text like -----BEGIN CERTIFICATE-----.
  • DER: A binary representation of the certificate, often used by Java or specialized hardware.

OpenSSL Cheat Sheet: Conversion Commands

  • PEM to DER converter: openssl x509 -in cert.pem -outform der -out cert.der
  • DER to PEM converter: openssl x509 -in cert.der -inform der -out cert.pem

PKCS#12 to PEM Converter

Windows and some enterprise systems use the PKCS#12 (.p12 or .pfx) format, which bundles the certificate and the private key into a single, password-protected file.

  • PKCS#12 to PEM converter: openssl pkcs12 -in cert.p12 -out cert.pem -nodes

3. Debugging and Validation

Nothing is more frustrating than an "Invalid Certificate" error. Tools for decoding and checking your certificates are essential.

SSL Certificate Decoder

An SSL certificate decoder allows you to read the human-readable details of a certificate file.

  • View certificate info: openssl x509 -in certificate.crt -text -noout
  • View CSR info: openssl req -in request.csr -text -noout

Certificate Chain Checker

A certificate chain checker ensures that your server is serving the full chain, including intermediate certificates. If the chain is broken, mobile devices and some browsers will show a security warning.

  • Verify a local file: openssl verify -CAfile ca-bundle.crt certificate.crt
  • Check a remote server: openssl s_client -connect google.com:4443

4. Summary

OpenSSL is a powerful but intimidating tool. By using our OpenSSL cheat sheet and understanding the common tasks like PEM to DER conversion or CSR generation, you can confidently manage the security infrastructure of any modern web application.

Always remember to keep your private keys private, use strong algorithms (like RSA 2048+ or ECC), and verify your certificate chains before deploying to production.

Back to Blog