Skip to content

Working with Certificates and Keys

Certificate Authorities

Verify a certificate has been signed by a CA
1
openssl verify -CAfile "{path_to_ca}" "{path_to_cert}"

Truststores (.p12)

View contents of a .p12
1
2
3
4
$> keytool -list -v -keystore cert.p12 -storetype PKCS12
Keystore type: PKCS12
Keystore provider: SUN
...
Extract private key from .p12
1
openssl pkcs12 -in {keystore_path} -nodes -nocerts | openssl rsa -out "key.pem"
Extract certificate from .p12
1
2
3
keytool -exportcert -keystore "{keystore_path}" -alias "{alias_of_cert}" -file "cert.der"
openssl x509 -inform DER -outform PEM -in "cert.der" -out "cert.pem"
rm -f cert.der
Extract certificate authority (CA) from .p12
1
2
3
# This is exactly the same as extracting a regular certificate from a .p12 you just need to know the alias of the CA cert.
keytool -exportcert -keystore "{keystore_path}" -alias "{alias_of_ca}" -file "ca.der"
openssl x509 -inform DER -outform PEM -in "ca.der" -out "ca.pem"

Generating RSA Keys

Bash
1
2
3
4
5
openssl genrsa -out "{priv_key_path}" 2048
openssl genrsa -des3 -out "{priv_key_path}" -passout "pass:{password}" 2048

# Create a public RSA 2048
openssl rsa -in "{priv_key_path}" -outform PEM -passin "pass:{password}" -pubout -out "{pub_key_path}"