"openssl x509" - X.509 Certificate Command

PKI Certificate Tutorials - Herong's Tutorial Examples

∟"openssl x509" - X.509 Certificate Command

This section describes the 'openssl x509' command, which invokes the OpenSSL CLI to access OpenSSL functions.

What Is "openssl x509" Command? "openssl x509" is an OpenSSL command to display X.509 certificate information, convert certificates to various forms, sign certificate requests like a "mini CA" or edit certificate trust settings.

Here are some examples on how to use the "openssl x509" command:

# Display the contents of a certificate in PEM format:
openssl x509 -in cert.pem -noout -text

# Convert certificate from PEM format to DER format:
openssl x509 -in cert.pem -out cert.der -outform DER
 
# Convert certificate from DER format to PEM format:
openssl x509 -in cert.der -inform DER -out cert.pem 

# Convert a certificate to a CSR (Certificate Signing Request):
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem

# Sign a CSR into a certificate 
openssl x509 -req -in csr.pem -out cert.pem \
  -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial

"openssl x509" command options used in above examples are:

-in cert.pem   Specifies the input certificate file in PEM format
-inform DER    Specifies the input certificate in DER format 
-noout         Stops writing out the certificate
-out cert.der  Specifies the output certificate file
-outform DER   Specifies the output certificate in DER format
-req           Specifies the input to be a CSR
-text          Prints out the certificate information in text form
-x509toreq     Converts a certificate into a CSR
-CA ca-cert.pem  Specifies the CA certificate file used for signing 
-CAkey ca-key.pem  Specifies the CA key file used for signing 
-CAcreateserial  Specifies a serial number file to be create

The "openssl x509" command is commonly used to view and manage PKI certificates. But you can use it as CA (Certificate Authority) tool to sign a CSR into a certificate as shown in next tutorials.