{"id":68,"date":"2026-01-15T15:21:31","date_gmt":"2026-01-15T15:21:31","guid":{"rendered":"https:\/\/stupidtechblog.com\/?p=68"},"modified":"2026-01-15T15:21:32","modified_gmt":"2026-01-15T15:21:32","slug":"ssl-certificate-quick-reference","status":"publish","type":"post","link":"https:\/\/stupidtechblog.com\/?p=68","title":{"rendered":"SSL Certificate Quick Reference"},"content":{"rendered":"\n<p>I often find myself needing to take a certificate or keystore and do <em>stuff<\/em> to it. Either turning it into a different format, extracting something, updating something, etc. I decided to make this reference doc to include every command that might be needed to do stuff with an SSL cert.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"source-format-base64\">Source Format: BASE64<\/h2>\n\n\n\n<p>For use when you have a base64 pem\/crt\/cer file and\/or a private key, and need to turn it into other stuff.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"encrypt-decrypt-private-key\">Encrypt\/Decrypt Private Key<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Encrypt with OpenSSL:\nopenssl rsa -aes256 -in &lt;decrypted key> -out &lt;encrypted key>\nDecrypt with OpenSSL:\nopenssl rsa -in &lt;encrypted key> -out &lt;decrypted key><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-pfx-pkcs12-keystore-truststore\">Create PFX\/PKCS12 Keystore\/Truststore<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Create keystore (cert + key) with OpenSSL:\nopenssl pkcs12 -export -out &lt;pfx keystore file>.pfx -inkey &lt;private key file> -in &lt;certificate file>\nCreate truststore (cert only) with OpenSSL:\nopenssl pkcs12 -export -nokeys -in &lt;certificate file> -out &lt;pfx truststore file>.pfx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-jks-truststore\">Create JKS Truststore<\/h3>\n\n\n\n<p>You can&#8217;t actually create a Java keystore straight from a key and certificate. Instead you need to go to PFX first, and then from PFX to JKS. Find instructions for that below.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Create truststore(cert only) with Java keytool:\nkeytool -importkeystore -srckeystore &lt;certificate FQDN>.pfx -srcstoretype pkcs12 -destkeystore &lt;certificate FQDN>.jks -deststoretype JKS<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"source-format-der\">Source Format: DER<\/h2>\n\n\n\n<p>There&#8217;s really only one thing you should do with a DER encoded certificate. Turn it into base64 instead.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Windows:\ncertutil -encode &lt;der file> &lt;base64 file>\nLinux(openssl):\nopenssl x509 -inform der -in &lt;der file> -out &lt;base64 file><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"source-format-pkcs12\">Source Format: PKCS12<\/h2>\n\n\n\n<p>For when you have a pfx\/p12 file and need to do stuff with its contents.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"extract-certificate-and-key-to-base64\">Extract Certificate And Key To Base64<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># Extract an encrypted private key\nopenssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [privatekey.key]\n\n# Extract the certificate\nopenssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [publiccert.crt]<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"convert-to-jks\">Convert to JKS<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">keytool -importkeystore -srckeystore &lt;certificate FQDN>.pfx -srcstoretype pkcs12 -destkeystore &lt;certificate FQDN>.jks -deststoretype JKS\n\n#List the certificates contained in that JKS file:\nkeytool -list -keystore &lt;certificate FQDN>.jks\n\n#Change the key password:\nkeytool -keypasswd -keystore &lt;certificate FQDN>.jks -alias &lt;certificate alias>\n\n#Change the store password:\nkeytool -storepasswd -keystore &lt;certificate FQDN>.jks\n\n#Change the alias of a certificate:\nkeytool -changealias -keystore &lt;certificate FQDN>.jks -alias &lt;old alias> -destalias &lt;new alias><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"source-format-jks\">Source Format: JKS<\/h2>\n\n\n\n<p>Java keystore files are not ideal but some environment still use them. Hopefully these commands help.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"view-keystore-details\">View Keystore Details<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">keytool -list -keystore &lt;keystore file>\n\nYou can just ignore the password prompt for this command.<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"change-keystore-password\">Change Keystore Password<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">keytool -storepasswd -keystore &lt;keystore file><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"change-key-password\">Change Key Password<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">keytool -keypasswd  -alias &lt;alias for key you want to modify>  -keystore &lt;keystore file><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"convert-to-pfx-pkcs12\">Convert to PFX\/PKCS12<\/h3>\n\n\n\n<p>There&#8217;s not a whole lot you can do with JKS files when it comes to exporting certificates or keys. For that, you&#8217;ll need to turn them into PFX\/PKCS12 files first.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] -destkeystore [MY_FILE.p12] -srcstoretype JKS -deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]\n<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"export-certificate\">Export Certificate<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">keytool -export -keystore examplestore -alias signFiles -file Example.cer<\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"change-alias\">Change Alias<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">keytool -changealias -alias &lt;old alias> -destalias &lt;new alias> -keystore &lt;keystore.jks><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I often find myself needing to take a certificate or keystore and do stuff to it. Either turning it into a different format, extracting something, updating something, etc. I decided to make this reference doc to include every command that might be needed to do stuff with an SSL cert. Source Format: BASE64 For use [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[17],"tags":[20,19,13,18,8],"class_list":["post-68","post","type-post","status-publish","format-standard","hentry","category-quick-reference","tag-certificates","tag-java-keytool","tag-linux","tag-openssl","tag-windows"],"_links":{"self":[{"href":"https:\/\/stupidtechblog.com\/index.php?rest_route=\/wp\/v2\/posts\/68","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stupidtechblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stupidtechblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stupidtechblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stupidtechblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=68"}],"version-history":[{"count":11,"href":"https:\/\/stupidtechblog.com\/index.php?rest_route=\/wp\/v2\/posts\/68\/revisions"}],"predecessor-version":[{"id":165,"href":"https:\/\/stupidtechblog.com\/index.php?rest_route=\/wp\/v2\/posts\/68\/revisions\/165"}],"wp:attachment":[{"href":"https:\/\/stupidtechblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=68"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stupidtechblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=68"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stupidtechblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=68"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}