I often find myself needing to take a certificate or keystore and do stuff to it. Either turning it into a different format, extracting something, updating something, etc. I decided to make this reference doc to include every command that might be needed to do stuff with an SSL cert.
Source Format: BASE64
For use when you have a base64 pem/crt/cer file and/or a private key, and need to turn it into other stuff.
Encrypt/Decrypt Private Key
Encrypt with OpenSSL: openssl rsa -aes256 -in <decrypted key> -out <encrypted key> Decrypt with OpenSSL: openssl rsa -in <encrypted key> -out <decrypted key>
Create PFX/PKCS12 Keystore/Truststore
Create keystore (cert + key) with OpenSSL: openssl pkcs12 -export -out <pfx keystore file>.pfx -inkey <private key file> -in <certificate file> Create truststore (cert only) with OpenSSL: openssl pkcs12 -export -nokeys -in <certificate file> -out <pfx truststore file>.pfx
Create JKS Truststore
You can’t actually create a Java keystore straight from a key and certificate. Instead you need to go to PFX first, and then from PFX to JKS. Find instructions for that below.
Create truststore(cert only) with Java keytool: keytool -importkeystore -srckeystore <certificate FQDN>.pfx -srcstoretype pkcs12 -destkeystore <certificate FQDN>.jks -deststoretype JKS
Source Format: DER
There’s really only one thing you should do with a DER encoded certificate. Turn it into base64 instead.
Windows: certutil -encode <der file> <base64 file> Linux(openssl): openssl x509 -inform der -in <der file> -out <base64 file>
Source Format: PKCS12
For when you have a pfx/p12 file and need to do stuff with its contents.
Extract Certificate And Key To Base64
# Extract an encrypted private key openssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [privatekey.key] # Extract the certificate openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [publiccert.crt]
Convert to JKS
keytool -importkeystore -srckeystore <certificate FQDN>.pfx -srcstoretype pkcs12 -destkeystore <certificate FQDN>.jks -deststoretype JKS #List the certificates contained in that JKS file: keytool -list -keystore <certificate FQDN>.jks #Change the key password: keytool -keypasswd -keystore <certificate FQDN>.jks -alias <certificate alias> #Change the store password: keytool -storepasswd -keystore <certificate FQDN>.jks #Change the alias of a certificate: keytool -changealias -keystore <certificate FQDN>.jks -alias <old alias> -destalias <new alias>
Source Format: JKS
Java keystore files are not ideal but some environment still use them. Hopefully these commands help.
View Keystore Details
keytool -list -keystore <keystore file> You can just ignore the password prompt for this command.
Change Keystore Password
keytool -storepasswd -keystore <keystore file>
Change Key Password
keytool -keypasswd -alias <alias for key you want to modify> -keystore <keystore file>
Convert to PFX/PKCS12
There’s not a whole lot you can do with JKS files when it comes to exporting certificates or keys. For that, you’ll need to turn them into PFX/PKCS12 files first.
keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] -destkeystore [MY_FILE.p12] -srcstoretype JKS -deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]
Export Certificate
keytool -export -keystore examplestore -alias signFiles -file Example.cer
Change Alias
keytool -changealias -alias <old alias> -destalias <new alias> -keystore <keystore.jks>