After you have applied for a personal or a host certificate, you may need to export the bundle from your browser and convert them into a different format. For example, to be able to use them in tools like GSI-SSH in order to authenticate yourself to the grid, and also to be able to install your host certificate into the host which you will be administering.
You will need to use openssl commands after you export your personal/host certificate bundle from your browser to convert them into different formats like “.pem” files.
Here are some useful openssl commands for managing certificates using the OpenSSL toolkit which is available on most platforms.
Converting a p12 / pfx bundle to a user certificate and private key file¶
openssl pkcs12 -clcerts -nokeys -out usercert.pem -in cert.p12 openssl pkcs12 -nocerts -out userkey.pem -in cert.p12
Please remember after doing this to protect your keys by running chmod 644 usercert.pem and chmod 400 userkey.pem.
Converting a p12 / pfx bundle to a server/service certificate and private key file¶
openssl pkcs12 -clcerts -nokeys -out hostcert.pem -in cert.p12 openssl pkcs12 -nocerts -nodes -out hostkey.pem -in cert.p12
Please remember after doing this to protect your keys by running chmod 644 hostcert.pem and chmod 400 hostkey.pem
Convert a certificate and private key file into a p12 bundle e.g. for importing into a browser¶
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert.p12 -name "name for certificate"
To remove the passphrase of a server/service private key in PEM format (note that this should only be done on server/service certificates - user certificates must always be protected by a passphrase)
openssl rsa -in hostkey.pem -out hostkey.pem
Add a passphrase to a host private key
openssl rsa -in hostkey.pem -out hostkey.pem -des3
Checking whether a certificate is valid¶
If you have the certificate loaded into a browser, you can go to the CA Portal’s Login page and it will show the status of your certificate (if valid).
Alternatively, if you are on a system with the an up-to-date installation of the CA information in (typically) /etc/grid-security/certificates, you can test your certificate like this:
openssl verify -CApath /etc/grid-security/certificates usercert.pem
Extracting information from a certificate¶
Display the Distinguished Name (DN) from a public key in PEM format
openssl x509 -in usercert.pem -noout -subject | sed 's/^subject=//'
Display the contents of a private key in PEM format
openssl des -in userkey.pem -noout -text
Display the Distinguished Name (DN) of a p12 file
openssl pkcs12 -in cert.p12 -nokeys -clcerts | openssl x509 -noout -subject | sed 's/^subject=//'
Extracting information from other objects
Display the contents of a Certificate Revocation List (CRL) in DER format
openssl crl -inform der -noout -text < importCRL
Check whether a certificate and a private key match¶
Perhaps surprisingly, the private key contains the public key, as does the certificate. This example shows a host certificate but of course it works for all certificates:
openssl rsa -in hostkey.pem -pubout openssl x509 -in hostcert.pem -pubkey -noout
Now compare the public key blocks printed - do they look the same? In more advanced Unix shells like bash and zsh, you can do it in one line:
diff -qs <(openssl rsa -in hostkey.pem -pubout) <(openssl x509 -in hostcert.pem -pubkey -noout)
It will put the pubkeys into temporary files, compare them, and tell you whether they differ or not.