Notes on SSL Certs

Split a PKCS #12 public and private key pair (*.pfx file) into two files; a public key file, and a private key file;

openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes  -out domain.key 

The first command extracts the public key to domain.cer.
The second command extracts the private key to domain.key.

Back the other way

openssl pkcs12 -inkey domain.key -in domain.cer -export -out domain.pfx

Convert private key into RSA key

openssl rsa -in -out

Place the public and private RSA key parts together into a new file (domain.pem) for SSL use such as with Pound Proxy, in the following order (Typically the Root CA Cert is not required!);

...  Private RSA key
...  Public key cert
...  Intermediate issuers cert
...  Root CA cert
cat >
cat >>
cat intermediate-ca.crt >> 

Certifitcate file types

This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.

This is the public-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/servercerts. This is also the format used for Certificate Authority certificates (/etc/ssl/certs)

This is the private-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong.

.pkcs12 .pfx .p12
A passworded container format that contains both public and private certificate pairs. 

Fills the same function as a .pem file, but a different format. OpenSSL can convert these to .pem. I've only ever run into them in the wild with Novell's eDirectory certificate authority.

.cert .cer .crt
A .pem file with a different extension. This extension is recognized by Windows Explorer as a certificate, which .pem is not.

A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration.

Online SSL Checker (for HTTPS):