Advanced certificate management using OpenSSL Commands
After you applied for a personal or a host certificate, you may need to export the bundle from your browser and convert them into a different format to be able to use them in tools like GSI-SSH in order to authenticate yourself to the grid, and also to be able to install your host certificate into the host which you will be administering.
You will need to use openssl commands after you export your personal/host certificate bundle from your browser to convert them into different formats like ".pem" files.
Converting a p12 / pfx bundle to a user certificate and private key file e.g. after exporting from a browser or the CertWizard
$> openssl pkcs12 -clcerts -nokeys -out usercert.pem -in cert.p12
$> openssl pkcs12 -nocerts -out userkey.pem -in cert.p12
Please remember after doing this to protect your keys by running chmod 644 usercert.pem and chmod 400 userkey.pem.
Converting a p12 / pfx bundle to a server/service certificate and private key file e.g. after exporting from a browser
$> openssl pkcs12 -clcerts -nokeys -out hostcert.pem -in cert.p12
$> openssl pkcs12 -nocerts -nodes -out hostkey.pem -in cert.p12
Please remember after doing this to protect your keys by running chmod 644 hostcert.pem and chmod 400 hostkey.pem
Convert a certificate and private key file into a p12 bundle e.g. for importing into a browser
$> openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert.p12 -name "name for certificate"
To remove the passphrase of a server/service private key in PEM format (note that this should only be done on server/service certificates - user certificates must always be protected by a passphrase)
$> openssl rsa -in hostkey.pem -out hostkey.pem.new Enter pass phrase for userkey.pem: **************** writing RSA key $> mv hostkey.pem.new hostkey.pem
Checking whether a certificate is valid
If you have the certificate loaded into a browser, you can go to the CA Portal's Login page and it will show the status of your certificate (if valid).
Alternatively, if you are on a system with the an up-to-date installation of the CA information in (typically) /etc/grid-security/certificates, you can test your certificate like this:
$> openssl verify -CApath /etc/grid-security/certificates usercert.pem
Extracting information from a certificate
Display the Distinguished Name (DN) from a public key in PEM format
$> openssl x509 -in usercert.pem -noout -subject | sed 's/subject= //'
Display the contents of a private key in PEM format
$> openssl des -in userkey.pem -noout -text
Display the Distinguished Name (DN) of a p12 file
$> openssl pkcs12 -in cert.p12 -nokeys -clcerts | openssl x509 -noout -subject | sed 's/subject= //'
Extracting information from other objects
Display the contents of a Certificate Revocation List (CRL) in DER format
$> openssl crl -inform der -noout -text < importCRL
Remove a passphrase from a host private key
To remove a passphrase from the private key of a host certificate
$> openssl rsa -in hostkey.pem -out hostkey.pem
Add a passphrase to a host private key
To add a passphrase to the private key of a host certificate
$> openssl rsa -in hostkey.pem -out hostkey.pem -des3
Check whether a certificate and a private key match
Perhaps surprisingly, the private key contains the public key, as does the certificate. This example shows a host certificate but of course it works for all certificates:
$> openssl rsa -in hostkey.pem -pubout
$> openssl x509 -in hostcert.pem -pubkey -noout
Now compare the public key blocks printed - do they look the same? In more advanced Unix shells like bash and zsh, you can do it in one line:
$> diff -qs <(openssl rsa -in hostkey.pem -pubout) <(openssl x509 -in hostcert.pem -pubkey -noout)
It will put the pubkeys into temporary files, compare them, and tell you whether they differ or not.