SSL Certificate Operations

Why do we need SSL/TLS?

  • Server [/Client] authentication for source [/dest] validation and trust.
  • Secure data transfer using encryption

SSL Communication Process


  1. Server authentication (Handshake)
  2. Key Exchange
  3. Encrypted data transfer (Record)




Request, sign, install and verify


CA Signed

  1. Generate the private key and certificate signing request for your site.signing
    openssl genrsa -out mysite.key 4096
    openssl req -new -key mysite.key -out mysite.csr
  2. Send mysite.csr to the CA of your choice.
  3. Get it signed by CA, say mysite.crt



Self Signed

  1. Generate the private key and self signed certificate for 365days.
    openssl req -x509 -newkey rsa:4096 -keyout mysite.key -out mysite.crt -days 365
  2. Install the certificate


SSL Certificate types (DV, OV, EV)

DV – Domain Validated (Basic)

  • Small or medium level website owners who only wish to encrypt their domain can issue DV SSL certificate. (,
  • Features
    • Green padlock. But no validation for the organization.dv
    • Lower price
    • Quick issuance within minutes
    • No paper work or documentation required for validation. Validated against the domain. It does not guarantee the identity of the website’s owner nor the actual existence of the organization
    • 99.9% mobile and web browser compatibility
    • Comes up with Wildcard and Multi Domain features
    • Reissue as many times as needed during the validity period
  • Validation process (email,file,registrar)

OV – Organization Validated (Enhanced)

EV – Extended Validated (Complete)


Read cert (online)

openssl s_client -connect < /dev/null 2>/dev/null
openssl s_client -showcerts -connect < /dev/null 2>/dev/null

Read the cert – x509 decoded (online)

openssl s_client -connect < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin –text

Check expiry [startdate, fingerpring, ]

openssl s_client -connect < /dev/null 2>/dev/null | openssl x509 -in /dev/stdin -noout –enddate [-startdate –fingerprint -sha1, …]

Verify the key and cert (offline)

openssl rsa -in -noout -modulus | openssl shasum
openssl x509 -in -noout -modulus | openssl shasum

Public key extraction from Private key

openssl rsa -in mysite.key -pubout >
openssl req -noout -in mysite.csr –pubkey >

Remove passphrase from privae key

openssl rsa -in mysite.key -out nopassphrase_mysite.key

Certificate Standard & Structure

x509 – PKIX (Public Key Infrastructure) certificate rfc6818



DER  => Binary DER encoded certs. (appear as .cer/.crt files)

PEM => ASCII (Base64) armored data prefixed with a “—– BEGIN …” line. (appears as .cer/.crt/.pem files)

File extensions

.crt => *nix convention of binary DER or Base64 PEM
.cer => Microsoft covention of binary DER or Base64 PEM
.key => public/private PKCS#8 keys. DER or PEM.

View certificate content

openssl x509 -in ServerCertificate.pem -text -noout
openssl x509 -in ServerCertificate.der -inform der -text -noout

Encoding conversion

openssl x509 -in ServerCertificate.cer -outform der -out ServerCertificate.der
openssl x509 -in ServerCertificate.der -inform der -outform pem -out ServerCertificate.pem

Chain of Trust

openssl s_client –connect  -showcerts < /dev/null 2>/dev/null


Trust Stores

  • Application trust stores
    • Browser
      • Public keys of all major CAs come with release
    • Applications (JDK/Tomcat, ColdFusion etc)
      • Mostly there but less frequently updated.
      • You need to take care if stored in custom location.
/usr/local/java/jre/bin/keytool -import -v -alias SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4 -file /$path/SHA2_Standard_Inter_Symantec_Class_3_Standard_SSL_CA_G4.cer -keystore /application/conf/jssecacerts  -storepass changeit –noprompt

/usr/local/java/jre/bin/keytool -list -v -keystore /application/conf/jssecacerts  -storepass changeit –noprompt
/usr/cfusion8/runtime/jre/bin/keytool -import -v -alias SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3 -file /root/SHA2_EV_Inter_Symantec_Class_3_EV_SSL_CA_G3.cer -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts  -storepass changeit

/usr/cfusion8/runtime/jre/bin/keytool -list -v -keystore /usr/cfusion8/runtime/jre/lib/security/cacerts  -storepass changeit

Certificate pinning

HTTP Public Key Pinning, or HPKP (rfc7469).

This standard allows websites to send an HTTP header instructing the browser to remember (or “pin”) parts of its SSL certificate chain. The browser will then refuse subsequent connections that don’t match the pins that it has previously received. Here’s an example of an HPKP header:

# Generate private key and csr.
openssl genrsa -out mysite.key 4096
openssl req -new -key mysite.key -out mysite.csr
# Get the crt from CA
openssl x509 -noout -in mysite.crt -pubkey | openssl asn1parse -noout -inform pem -out
openssl dgst -sha256 -binary | openssl enc -base64
# Form the header and add to web server (eg:- apache).
Header add Public-Key-Pins "max-age=500; includeSubDomains;

Free & Open certificates

Let’s Encrypt