SSL Certificate

What is SSL Certificate

An SSL Certificate is essentially an X.509 certificate. X.509 is a standard that defines the structure of the certificate. It defines the data fields that should be included in the SSL certificate. X.509 uses a formal language called Abstract Syntax Notation One (ASN.1) to express the certificate’s data structure.

There are different formats of X.509 certificates such as PEM, DER, PKCS#7 and PKCS#12. PEM and PKCS#7 formats use Base64 ASCII encoding while DER and PKCS#12 use binary encoding. The certificate files have different extensions based on the format and encoding they use.

The X.509 Certificate’s encoding formats and file extensions

Web Servers and SSL certificate formats

Tomcat: Keystore (.jks) with PKCS#7 (.p7b) Format

Apache: PEM (.crt+.key)

Nginx: PEM (.pem+.key)

IIS: PKCS#12 (.pfx)

JKS: Keystore

Generate a Self-Signed Certificate


# interactive
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
Enter PEM pass phrase: 
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
# non-interactive and 10 years expiration
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"

openssl req

PKCS#10 X.509 Certificate Signing Request (CSR) Management.

Required options

  • -x509: Output a x509 structure instead of a cert request (Required by some CA’s)
  • -newkey val: Specify as type:bits. (key algorithm and key size). For example, -newkey rsa:4096
  • -keyout outfile: File to send the key to (private key)
  • -out outfile: Output file (certificate)
  • -days +int: Number of days cert is valid for
  • -*: Any supported digest. For example, -sha256

Optional options

  • -nodes: Don’t encrypt the output key.
  • -subj val: Set or modify request subject. (non-interactive). For example, -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"

Extract Public Key From SSL Certificate


openssl x509 -pubkey -in cert.pem -noout -out public_key.pem

openssl x509

X.509 Certificate Data Management.


  • -pubkey: Output the public key
  • -in infile: Input file - default stdin
  • -out outfile: Output file - default stdout
  • -noout: No output, just status. (Don’t append certificate to output public key file.)

Verify public key and private key

Creating a signed digest of a file:

openssl dgst -sha512 -sign private_key.pem -out digest.sha512 file.txt

Verify a signed digest:

openssl dgst -sha512 -verify public_key.pem -signature digest.sha512 file.txt

Convert SSL certificate formats


OpenSSL Convert PEM

Convert PEM(.pem) to DER(.der)

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM(.cer) to PKCS#7(.p7b)

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM(.crt) to PKCS#12(.pfx)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER(.cer) to PEM(.pem)

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert PKCS#7(.p7b) to PEM(.cer)

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert PKCS#7(.p7b) to PKCS#12(.pfx)

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

OpenSSL Convert PFX

Convert PKCS#12(.pfx) to PEM(.cer)

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Java Keystore

keytool -genkeypair: to generated a key pair and a self-sign certificate in a keystore file

keytool -genkeypair -keysize 1024 -alias herong_key \
-keypass keypass -keystore herong.jks -storepass jkspass
What is your first and last name?
[Unknown]: Herong Yang
What is the name of your organizational unit?
[Unknown]: Herong Unit
What is the name of your organization?
[Unknown]: Herong Company
What is the name of your City or Locality?
[Unknown]: Herong City
What is the name of your State or Province?
[Unknown]: Herong State
What is the two-letter country code for this unit?
[Unknown]: CA
Is CN=Herong Yang, OU=Herong Unit, O=Herong Company, L=Herong City,
ST=Herong State, C=CA correct?
[no]: yes



// Installing the Self-Signed Certificate on the Client
keytool -importcert -alias alias_name -file path_to_certificate_file -keystore truststore_file

-importcert -trustcacerts

// Importing a CA-Signed Certificate
keytool -import -trustcacerts -alias alias_name -file certificate_file -keystore keystore_file


-exportcert/-export: to export the certificate in DER format.

keytool -exportcert -alias herong_key -keypass keypass \
-keystore herong.jks -storepass jkspass -file keytool_crt.der

-exportcert -rfc: to export the certificate in PEM format.

keytool -exportcert -alias herong_key -keypass keypass \
-keystore herong.jks -storepass jkspass -rfc -file keytool_crt.pem


Move SSL Certificate to another JKS Keystore

"C:\Program Files\Java\jre7\bin\keytool.exe" -importkeystore -srckeystore "D:\source-keystore.jks" -destkeystore "D:\destination-keystore.jks" -srcstorepass password -deststorepass password -srcalias ""



SSL Certificate


Java Keystore