Working with Digital Certificates

On Ubuntu 20.

Digital certificates are a fundamental part of modern security. They assist in proving athenticity, meaning they help prove something, or someone, is who they claim to be.

File Formats (PFX & PKCS #12)


Certificates are stored and transferred as files.

Wikipedia explains the file types well: 


In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.” 


PKCS #12 is the successor to Microsoft‘s “PFX”;[5] however, the terms “PKCS #12 file” and “PFX file” are sometimes used interchangeably.” 



View File Contents 


certutil -dump filename.pfx 

openssl.exe pkcs12 -info -in c:\temp\cert.pfx 

# For help: openssl pkcs12 -help 


Extract Certificate 


# -clcerts = only output client certificate 

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt] 


# -cacerts = only output CA certificates 

openssl pkcs12 in [yourfile.pfx] -cacerts -nokeys -out [drlive.bundle] 


Extract Private Key 


openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key] 

openssl rsa -in [drlive.key] -out [drlive-decrypted.key]


Create Intermediate Certificate Bundle 


From PFX file: 

# -cacerts = only output CA certificates 

openssl pkcs12 in [yourfile.pfx] -cacerts -nokeys -out [drlive.bundle] 


From CRT files:


Check Certificate 


openssl x509 -in certname.crt -text -noout 


Check Key 


openssl rsa -in keyname.decrypted.key -check 


Check Key Matches Certificate 


MD5 output values should be matching: 

openssl x509 -noout -modulus -in certname.crt | openssl md5 

openssl rsa -noout -modulus -in keyname.decrypted.key | openssl md5 

Test a Live Site Certificate 

openssl s_client