SSL troubleshooting

Overview

Read certificates
Convert certificates
Generate certificates
- 1.Generate a PEM cert and key
Troubleshooting

See below a list of commands, commonly used when working with certificates and troubleshooting SSL.

ssl certificate

Read certificates

1. Read a PEM certificate

openssl x509 -in certificate.pem -text -noout

2. Read a PFX/P12 certificate

keytool -list -v -keystore <keystore.pfx> -storetype PKCS12 -storepass <pass>
openssl pkcs12 -info -in <keyStore.pfx>

3. Read a JKS Keystore

keytool -list -v -keystore <keystore.jks> -storetype JKS -storepass <pass>

Note: depending on the “Entry type” field of each entry (PrivateKeyEntry or trustedCertEntry) you can deduce if your JKS is a keystore or truststore. A truststore would only contain trustedCertEntry entries

Convert certificates

4.Convert a JKS into a PKCS12 (all aliases)

keytool -importkeystore -srckeystore <keystore.jks> -srcstoretype JKS -deststoretype PKCS12 -destkeystore <keystore.p12>

5.Converting a JKS into a PKCS12 (only one alias)

keytool -importkeystore -srckeystore <keystore.jks> -destkeystore <keystore.p12> -srcstoretype JKS -deststoretype PKCS12 -srcstorepass 
<pass> -deststorepass <pass> -srcalias <alias> -destalias <alias> -srckeypass <keypass> -destkeypass <keypass> -noprompt

6.Convert a PKCS12 into a PEM (with password)

openssl pkcs12 -in <cert.pfx> -out <cert.pem>

Note: You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

7.Convert a PEM certificate and private key into a PKCS12

openssl pkcs12 -export -out <certificate.pfx> -inkey <privateKey.key> -in <certificate.crt> -certfile <CACert.crt>

8.Convert PEM to DER

openssl x509 -in <cert.pem> -inform PEM -out <cert.der> -outform DER

9.Convert DER to DER

openssl x509 -inform der -in <certificate.cer> -out certificate.pem

Generate certificates

1.Generate a PEM cert and key

NOTE: This can be used when enabling ssl on Apache or any other webserver.

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

Troubleshooting

10.Read a cert from a remote host

echo QUIT | openssl s_client -connect <domain.com:443>

11.Simulate a client

openssl s_client -connect <domain.com:443> -showcerts -state -msg
openssl s_client -connect <domain.com:443> -showcerts -state -msg -CAfile <truststore.pem>

12.Simulate a server clientAuth=False

openssl s_server -accept 443 -cert <server-cert.pem> -pass pass:<pass> -WWW -state -msg -tlsextdebug

13.Simulate a server clientAuth=False

openssl s_server -accept 443 -cert <server-cert>.pem -pass pass:<pass> -WWW -state -msg -tlsextdebug -CAfile <truststore.pem> -Verify 1

14.Import a .pem certificate to a JKS truststore

openssl x509 -outform der -in cert.pem -out cert.der
keytool -import -alias cert.alias -keystore truststore -file cert.der

Andrei