Archive for March, 2025

How to convert .p12 ssl certificate to .pem with openssl command

Friday, March 21st, 2025

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

A PKCS #12 file may be encrypted and signed. The internal storage containers, called "SafeBags", may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer's choice.

PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.

Privacy-Enhanced Mail (PEM) is a de facto file format for storing and sending cryptographic keys, certificates, and other data, based on a set of 1993 IETF standards defining "privacy-enhanced mail." While the original standards were never broadly adopted and were supplanted by PGP and S/MIME, the textual encoding they defined became very popular. The PEM format was eventually formalized by the IETF in RFC 7468.

If you already have a .P12 certificate password signed provided by someone and you need to convert it a .PEM, this can be done like so:

To convert .p12 certificate :

# Initialize variable
cert_p12_in=your-domain-name-cert.p12
cert_p12_pass='XXXZZZYYYPPPQQQ'
cert_pem_out=your-domain-name-cert.pem
 
 
# Extract the private key
openssl pkcs12 -in $cert_p12_in -nocerts -nodes -passin "pass:$cert_p12_pass" 2>/dev/null | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > $cert_pem_out
 
# Extract the certificate
openssl pkcs12 -in $cert_p12_in -clcerts -nokeys -passin "pass:$cert_p12_pass" 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $cert_pem_out
 
# Extract the Chain certificate, potentially nothing
openssl pkcs12 -in $cert_p12_in -cacerts -nokeys -chain  -passin "pass:$cert_p12_pass" 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $cert_pem_out
 
# Display the result
cat $cert_pem_out

That's all you should have the .p12 to .pem successfully converted.
Cheers ! 🙂

Howto Verify an SSL certificate and it private key do match

Monday, March 17th, 2025

Howto Verify an SSL certificate and it's private key do match ?

ssl-verify-pem-and-key-certificate-howto

 

In this article I'll show you how can you verify SSL generated certificate match with its private key. This is mostly useful as sometimes installing signed SSL certfificates might mismatch the key and the result is an SSL mismatch that prevents the supposed encryption of the service from end user to the service to work as expected.
 
I assume you already have properly issued and signed SSL certificate and the private key you used to issue the certificate as well as the entire certificate chain CA and root CA, as well as the certificate.

Requirements

You must have the following item :

  • the signed SSL certificate
  • the certificate's private key
  • the entire certification chain (intermediate CA and root CA)

1. Procedure to verify certificate .crt and .key file match

The following procedures can be used to ensure the given certificate/private key are valid.

Private key verification

  • compute the private key modulus

 

$ openssl rsa -in  certificate.key -modulus -noout | openssl md5

(stdin)= e5220727Acc5396139823018773d55db

 

  • compute the certificate modulus

 

$ openssl x509 – in   certificate.crt -modulus -noout | openssl md5 (stdin)= e5220727Acc5396139823018773d55db

 

  • the private key and certificate modulus md5 must match


How to verify Private key verification (one liner command)

The following command should return 'OK'

 

$ [[  "$(openssl rsa -in your_company_private_key.key -modulus -noout | openssl md5)"   ==  "$(openssl x509 -in and_your_company_private_key.crt -modulus -noout | openssl md5)"   ]] && echo OK || echo NOK

 

2. CA (Certificate Authority)  chain verification

Execute the following command, The certificate.ca should contains the entire CA chain (intermediate CA + root CA)

 

$ openssl verify -CAfile certificate_file.ca certificate.crt: OK

 

3. Expiry date verification of SSL certificate

 

$ openssl x509 – in   certificate_file.crt -noout -startdate -enddate

 

4. Verify the expiry date of a running web service online or in private net

 

$ openssl s_client -connect your-remote-service.com:443 2> /dev/null  | openssl x509 -noout -startdate -enddate

notBefore=Oct 5 00:15:00 2024 GMT
notAfter=Oct 18 23:59:59 2026 GMT

 

If the service provide several certificate with SNI you should use this command to get back the good certificate. You have to set the subject certificate you want to get back

 

$ openssl s_client -connect www.your-remote-service.com:443 -servername srv.your-remote-service.com 2> /dev/null

| openssl x509 -noout -startdate -enddate

notBefore=Oct 5 00:15:00 2024 GMT
notAfter=Oct 18 23:59:59 2026 GMT

 

Sum up what learned ?

In this short article we learned how to verify .crt and and .key file does match, how to do a chain verification of SSL cert, how to check the expire date of a certificate, as well as how to use the openssl command to verify whether installed certificate on a web service is set and working.