One-Page Reference

Task Tool Command Use Case
View Certificate OpenSSL openssl x509 -in cert.crt -text -noout Inspect certificate details
Verify Chain OpenSSL openssl verify -CAfile chain.pem certificate.crt Validate trust chain
Check OCSP OpenSSL openssl ocsp -issuer issuer.crt -cert certificate.crt -url http://ocsp.example.com -CAfile chain.pem Check revocation status
PEM → DER OpenSSL openssl x509 -outform der -in certificate.pem -out certificate.der Convert format
DER → PEM OpenSSL openssl x509 -inform der -in certificate.der -out certificate.pem Convert format
PFX → PEM OpenSSL openssl pkcs12 -in certificate.pfx -out bundle.pem -nodes Extract certs and key
Extract Public Key OpenSSL openssl x509 -in certificate.crt -pubkey -noout > publicKey.pem Save public key from cert
List Keystore Keytool keytool -list -v -keystore keystore.jks Inspect keystore entries
JKS → PKCS#12 Keytool keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 Convert Java keystore

OpenSSL Reference

Essential OpenSSL commands for viewing, verifying, converting and comparing certificates and keys. Click any code box to copy.

View Certificate Details

openssl x509 -in certificate.crt -text -noout

Convert Formats

PEM → DER
openssl x509 -outform der -in certificate.pem -out certificate.der
DER → PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
P7B → PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
PEM/CRT + Key → PFX
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
PFX → PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Verify Chain

openssl verify -CAfile chain.pem certificate.crt

Certificate chain verification confirms that your leaf certificate is issued by a trusted CA through a valid sequence of signatures (leaf → intermediate(s) → root). The command above checks signatures, basic constraints, and key usage using the certificates provided in chain.pem. Include the issuing intermediate(s) and, if OpenSSL does not use your OS trust store, the root CA as well. A successful run prints certificate.crt: OK. Common errors include unable to get local issuer certificate (missing intermediate), self signed certificate (wrong chain), or unable to verify the first certificate (no trusted root supplied).

Tips: Use the exact issuer of your leaf certificate from its AIA (Authority Information Access) extension. Order is flexible, but the set must contain the correct intermediates. If you only have a CA bundle, you can use it as -CAfile. For complex chains, -untrusted can provide intermediates while -CAfile holds trusted roots.

Expected Output Success

certificate.crt: OK

Check OCSP

openssl ocsp -issuer issuer.crt -cert certificate.crt -url http://ocsp.example.com -CAfile chain.pem

OCSP (Online Certificate Status Protocol) returns the current revocation status of a certificate from the CA’s responder. The OCSP URL comes from the certificate’s AIA extension. Pass the -issuer certificate that signed the leaf, the leaf certificate via -cert, and a trusted chain via -CAfile to validate the responder’s reply. Interpreting results: good means not revoked; revoked includes time and reason; unknown indicates the responder has no record. Check the This Update and Next Update timestamps to ensure freshness. OCSP is often stapled by servers during TLS; this command lets you query directly.

Use the exact issuer certificate (not the root) when calling OCSP. Many responders require HTTP and a specific path. If the responder cannot be verified, ensure your -CAfile contains the CA chain that signs the OCSP response. Avoid disabling verification flags unless troubleshooting.

Expected Output Success

Response verify OK
certificate.crt: good
	This Update: Dec 09 12:00:00 2025 GMT
	Next Update: Dec 09 18:00:00 2025 GMT

Compare Private Key vs Certificate

Bash
bash -c 'K=key.pem; C=cert.pem; KF=$(openssl pkey -in "$K" -pubout -outform DER | openssl sha256 | awk "{print $2}"); CF=$(openssl x509 -in "$C" -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 | awk "{print $2}"); if [ "$KF" = "$CF" ]; then echo MATCH: $KF; else echo MISMATCH; echo Key:  $KF; echo Cert: $CF; fi'
PowerShell
$K='key.pem'; $C='cert.pem'; $KF = (openssl pkey -in $K -pubout -outform DER | openssl sha256) -replace '.*= ', ''; $CF = (openssl x509 -in $C -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256) -replace '.*= ', ''; if ($KF -eq $CF) { Write-Output ('MATCH: ' + $KF) } else { Write-Output 'MISMATCH'; Write-Output ('Key:  ' + $KF); Write-Output ('Cert: ' + $CF) }

Certificate Formats

Overview of common certificate and keystore formats with identification tips and conversion examples.

DV OV EV Wildcard Multi-Domain

PEM Format

PEM is a Base64‑encoded ASCII format used widely by web servers. Files often end in .pem, .crt, .cer, or .key and include header/footer lines such as "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". Server certificates, intermediates, and private keys can all be represented in PEM. Most platforms expect certificate, chain, and key in separate files even though multiple PEM blocks can appear in one file.

View PEM
openssl x509 -in certificate.pem -text -noout
Split Combined PEM
awk '/BEGIN CERT/{f="cert_"++i".cer"} {print >f}' bundle.pem

DER Format

DER is a binary encoding of certificate or key material. Files commonly use .der or .cer; a .cer may be PEM or DER, so BEGIN/END headers indicate PEM. Java platforms commonly use DER.

DER → PEM
openssl x509 -inform der -in certificate.der -out certificate.pem
PEM → DER
openssl x509 -outform der -in certificate.pem -out certificate.der

PKCS#7 / P7B

PKCS#7 (P7B) bundles certificates and chain certificates, but not private keys. Typically ASCII Base64 with headers like "-----BEGIN PKCS7-----" and extensions .p7b or .p7c. Supported by Windows and Java app servers.

P7B → PEM Certificates
openssl pkcs7 -print_certs -in certificate.p7b -out certificates.pem

PKCS#12 / PFX

PKCS#12 (PFX) is a binary, encryptable container that can store a private key, the server certificate, and intermediates together. Common extensions are .pfx and .p12; frequently used on Windows for import/export.

Extract Private Key
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out privateKey.key
Extract Certificate
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.cer
Repack PEM → PFX
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -certfile CACert.cer -out certificate.pfx
FormatContains Private Key?Typical ExtensionsHeadersCommon Use
PEMYes (in .key).pem, .crt, .cer, .keyBEGIN/END blocksApache/Nginx, general web
DERNo (cert only).der, .cerNone (binary)Java, Windows cert stores
PKCS#7/P7BNo.p7b, .p7cBEGIN/END PKCS7Windows, Tomcat
PKCS#12/PFXYes.pfx, .p12None (binary container)Windows import/export

Keytool Reference

Common Java Keytool operations for generating keys, creating CSRs, importing CA replies, converting keystores, and inspecting entries. Click any code box to copy.

Generate RSA Keypair and Keystore

Create JKS with RSA 2048
keytool -genkeypair -alias server -keyalg RSA -keysize 2048 -keystore keystore.jks -storepass changeit -keypass changeit -dname "CN=example.com, O=Example, OU=IT, L=City, ST=State, C=US"

Export CSR from Keystore

Create CSR (PKCS#10)
keytool -certreq -alias server -file request.csr -keystore keystore.jks -storepass changeit -ext SAN=dns:example.com,dns:www.example.com

Import CA Reply

Import Issued Cert
keytool -importcert -alias server -file certificate.crt -keystore keystore.jks -storepass changeit
Import CA Chain
keytool -importcert -alias intermediate -file intermediate.crt -keystore keystore.jks -storepass changeit

Display Certificate Details

List Verbose Entry
keytool -list -v -alias server -keystore keystore.jks -storepass changeit
JKS → PKCS#12
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
PKCS#12 → JKS
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
List Keystore Contents
keytool -list -v -keystore keystore.jks

Migrate Keystore to OpenSSL

Keytool cannot export private keys directly. The most reliable path is to convert the keystore to PKCS#12 and then use OpenSSL to extract the certificate and private key. If you must reuse the same Java‑generated key without conversion, advanced approaches require custom code to dump keys from the keystore.
Step 1: Convert JKS → PKCS#12
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pfx -deststoretype PKCS12 -storepass changeit -deststorepass changeit
Step 2: Extract Private Key
openssl pkcs12 -in keystore.pfx -nocerts -nodes -out private.key
Step 3: Extract Certificate
openssl pkcs12 -in keystore.pfx -clcerts -nokeys -out certificate.crt
Optional: Convert to DER
openssl x509 -outform der -in certificate.crt -out certificate.der
Security tip: Handle PKCS#12 files locally whenever possible. They contain private keys; avoid uploading them to untrusted services. Prefer generating fresh keys in OpenSSL and reissuing a certificate when migration isn’t strictly required.

Command Line Generator

Generate public key, chain verification, and OCSP commands based on uploaded inputs. All generation occurs locally in your browser.

Keytool Wizard

Step‑by‑step guidance to generate a keystore, create a CSR with SANs, import the issued certificate and CA chain, convert the keystore to PKCS#12, and optionally extract with OpenSSL. Fields below auto‑update the commands shown in each step.

Create JKS
Create CSR
Import Cert
Import Chain
Convert to PKCS#12
Extract Private Key
Extract Certificate

Visual Aids & Diagrams

Interactive diagrams to understand certificate chains and common CA hierarchies. Toggle tabs to view different chain layouts.

Certificate Chain Diagrams

Leaf → Intermediate → Root
Server Certificate (Leaf) Intermediate CA KeyCertSign=TRUE Root CA Trusted Store Signed by Signed by OK if chain verifies