PKI Key Pairs Generator
Generate public/private key pairs without creating certificates. Useful for testing, development, or when you need raw keys for custom certificate workflows.
Generated Key Pairs
| Key Pair Name | Key Pair Size | Key Pair Algorithm | Key Pair Curve Name | Actions |
|---|
Equivalent OpenSSL Commands
Base64 Tools
Encode or decode RSA keys to/from Base64 format.
Input
Output
Equivalent OpenSSL Commands
# Encode Flow: PEM Key → Double-Encoded Base64 # Step 1: Remove PEM headers/footers and newlines # Step 2: Base64 encode the raw content (double encode) # # Equivalent OpenSSL Commands: # Step 1 - Extract raw base64 from PEM: sed '/-----/d' private_key.pem | tr -d '\n' # # Step 2 - Double-encode to base64: sed '/-----/d' private_key.pem | tr -d '\n' | base64 -w 0
RSA Text Encrypt/Decrypt
Encrypt or decrypt text locally with RSA PEM keys. Use generated RSA key pairs from this tab, paste a key, or upload a key file.
Encryption
Decryption
Root Certificate Authority (CA)
Generated CA Certificate
CA Certificate (PEM)
Equivalent OpenSSL Commands
Generate Certificate
Generated Certificate
Private Key (PEM)
Certificate (PEM)
CSR (PEM)
Equivalent OpenSSL Commands
DevOps Export Panel
PEM/CERT Contents
⚠️
Generate a CA and Certificate first to enable exports
Email Delivery (Optional)
Kubernetes Secret YAML
⚠️
Generate a CA and Certificate first to enable exports
TLS Secret (from generated certificate)
CA Secret (from generated CA)
Upload your certificate and key files to enable Kubernetes Secret YAML
generation
Generate from Custom Files
Upload your own certificate and key files to generate Kubernetes Secret YAML.
Generated Secret:
SSL Certificate Checker
Inspect certificate details from PEM content or certificate files. Domain checks need a server-side TLS lookup because browsers do not expose remote peer certificate details to JavaScript.
Check by Domain
Check by Certificate File
Check by PEM Content
SSL Details
Certificate details parsed locally.
Certificate Information
- Common Name
- -
- Subject Alternative Names
- -
- Organization
- -
- Organization Unit
- -
- Locality
- -
- State
- -
- Country
- -
- Valid From
- -
- Valid To
- -
- Expired In
- -
- Issuer
- -
- Serial Number
- -
Certificate Chain
OpenSSL Commands
Use these commands to inspect a remote certificate or a local certificate file from your terminal.
OpenSSL CLI Commands
Complete reference for generating SSL certificates using OpenSSL command-line tools. All commands use OpenSSL 1.1.1+ syntax.
💡
Tip: Run
openssl version to check your installed version. Commands with
-addext require OpenSSL 1.1.1 or later.
1. Generate Root CA
Create a self-signed root certificate authority. The CA is used to sign server/client certificates, establishing a chain of trust.
Generate CA Private Key
openssl genrsa -out ca.key 4096
Generate CA Certificate (Self-Signed)
openssl req -new -x509 -key ca.key -sha256 -days 3650 -out ca.crt \ -subj "/C=US/O=My Organization/CN=My Root CA" \ -addext "basicConstraints=critical,CA:TRUE,pathlen:0" \ -addext "keyUsage=critical,keyCertSign,cRLSign"
View CA Certificate Details
openssl x509 -in ca.crt -text -noout
2. Generate Server Certificate (CA-Signed)
Create a certificate signed by your CA for a domain. This is the recommended approach for development — browsers will trust this cert after installing the CA.
Generate Server Private Key
openssl genrsa -out server.key 2048
Generate CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr \ -subj "/C=US/O=My Organization/CN=example.com" \ -addext "subjectAltName=DNS:example.com,DNS:www.example.com"
Sign CSR with CA
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \ -CAcreateserial -out server.crt -days 365 -sha256 \ -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com")
3. Generate Self-Signed Certificate
Quick one-liner for a self-signed certificate without a CA. Ideal for quick local testing, but browsers will show a warning.
Generate Self-Signed Certificate
openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt \ -days 365 -nodes \ -subj "/C=US/O=My Organization/CN=example.com" \ -addext "subjectAltName=DNS:example.com,DNS:www.example.com"
4. Generate ECDSA Certificate
ECDSA keys are smaller and faster than RSA. P-256 (prime256v1) is widely supported; P-384 (secp384r1) offers stronger security.
Generate ECDSA Private Key
openssl ecparam -name prime256v1 -genkey -noout -out server.key
Generate ECDSA Certificate
openssl req -new -x509 -key server.key -out server.crt \ -days 365 -nodes \ -subj "/C=US/O=My Organization/CN=example.com" \ -addext "subjectAltName=DNS:example.com"
5. Verify and Inspect Certificates
Essential commands for debugging certificate issues and verifying the trust chain.
View Certificate Details
openssl x509 -in server.crt -text -noout
View CSR Details
openssl req -in server.csr -text -noout
Verify Certificate Against CA
openssl verify -CAfile ca.crt server.crt
Check Certificate Expiry
openssl x509 -enddate -noout -in server.crt
Extract Public Key from Certificate
openssl x509 -pubkey -noout -in server.crt
6. Convert Certificate Formats
Convert between PEM (Base64, most common), DER (binary), and PKCS#12 (bundled key+cert, used by Windows/Java).
PEM to DER
openssl x509 -in server.crt -outform der -out server.der
DER to PEM
openssl x509 -in server.der -inform der -outform pem -out server.crt
PEM to PKCS#12 (.pfx/.p12)
# Export key + certificate + optional CA chain to PKCS#12 openssl pkcs12 -export -out server.p12 \ -inkey server.key \ -in server.crt \ -certfile ca.crt \ -passout pass:password123
PKCS#12 to PEM
# Extract certificate and private key from PKCS#12 openssl pkcs12 -in server.p12 -out server.pem -nodes -passin pass:password123
7. Key Management
Commands for managing private keys. Always protect private keys — never commit them to version control.
Generate RSA Key with Passphrase
openssl genrsa -aes256 -out server.key 2048
Remove Passphrase from Key
openssl rsa -in server.key -out server.key.nopass
View Key Details
openssl rsa -in server.key -text -noout
Convert Key to PKCS#8
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in server.key -out server.pkcs8
8. SAN Configuration File
For complex certificates with multiple domains/IPs, use a config file instead of
-addext. This is required for wildcard certificates and gives full control over
extensions.
san.cnf — Full Example (Domains + IPs)
cat > san.cnf <<'EOF' # ────────────────────────────────────────────── # san.cnf — OpenSSL config for SAN certificates # ────────────────────────────────────────────── [req] default_bits = 2048 default_md = sha256 distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no # ── Subject fields ── [req_distinguished_name] C = US ST = California L = San Francisco O = My Organization OU = Engineering CN = example.com # ── Extensions for server certificates ── [v3_req] basicConstraints = CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names # ── Subject Alternative Names ── # Add all domains and IPs the cert should cover [alt_names] # Domain names DNS.1 = example.com DNS.2 = www.example.com DNS.3 = api.example.com DNS.4 = *.dev.example.com # IPv4 addresses IP.1 = 127.0.0.1 IP.2 = 192.168.1.100 IP.3 = 10.0.0.50 # IPv6 addresses IP.4 = ::1 IP.5 = fd00::1 EOF
san-ca.cnf — CA Config (for signing)
cat > san-ca.cnf <<'EOF' # Config used when CA signs a CSR (copies extensions from this file) [v3_req] basicConstraints = CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = example.com DNS.2 = www.example.com DNS.3 = api.example.com IP.1 = 127.0.0.1 IP.2 = 192.168.1.100 EOF
Step 1 — Generate Key + CSR using san.cnf
# Generate private key openssl genrsa -out server.key 2048 # Generate CSR with SAN from config openssl req -new -key server.key -out server.csr -config san.cnf # Verify SAN is in the CSR openssl req -in server.csr -text -noout | grep -A1 "Subject Alternative Name"
Step 2 — Sign CSR with CA (using san-ca.cnf)
# Sign with CA — must use -extfile to include SAN in the final cert openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \ -CAcreateserial -out server.crt -days 365 -sha256 \ -extfile san-ca.cnf -extensions v3_req # Verify SAN in the signed certificate openssl x509 -in server.crt -text -noout | grep -A1 "Subject Alternative Name"
One-Liner — Self-Signed with san.cnf
# Skip CSR — generate self-signed cert directly from config openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt \ -days 365 -nodes -config san.cnf -extensions v3_req # Quick verify openssl x509 -in server.crt -noout -subject -ext subjectAltName
9. Wildcard & Multi-Domain Certificates
Wildcard certs (*.example.com) cover all subdomains at one level. Combine with explicit entries for full coverage.
Generate Wildcard Certificate
openssl req -x509 -newkey rsa:2048 -keyout wildcard.key -out wildcard.crt \ -days 365 -nodes \ -subj "/C=US/O=My Organization/CN=*.example.com" \ -addext "subjectAltName=DNS:*.example.com,DNS:example.com"
Multi-Domain (SAN) Certificate
# Single cert covering multiple domains openssl req -x509 -newkey rsa:2048 -keyout multi.key -out multi.crt \ -days 365 -nodes \ -subj "/C=US/O=My Organization/CN=app.example.com" \ -addext "subjectAltName=DNS:app.example.com,DNS:api.example.com,DNS:admin.example.com,IP:192.168.1.100"
10. Web Server Configuration
Copy-paste configurations for popular web servers and runtimes.
Nginx
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# Optional: verify client certs (mTLS)
# ssl_client_certificate /etc/nginx/ssl/ca.crt;
# ssl_verify_client on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:3000;
}
}
Apache
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/apache2/ssl/ca.crt
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
</VirtualHost>
Node.js (Express/HTTPS)
const https = require('https');
const fs = require('fs');
const express = require('express');
const app = express();
const options = {
key: fs.readFileSync('./certs/server.key'),
cert: fs.readFileSync('./certs/server.crt'),
ca: fs.readFileSync('./certs/ca.crt') // optional: for client cert verification
};
app.get('/', (req, res) => res.send('Hello HTTPS!'));
https.createServer(options, app).listen(443, () => {
console.log('HTTPS server running on port 443');
});
Docker Compose (Nginx + SSL)
services:
web:
image: nginx:alpine
ports:
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
- ./certs/server.crt:/etc/nginx/ssl/server.crt:ro
- ./certs/server.key:/etc/nginx/ssl/server.key:ro
11. Trust Store Installation
Install your CA certificate into the OS trust store so browsers and tools trust certificates signed by it.
macOS — Add to System Keychain
# Add CA to system trust store (requires admin password) sudo security add-trusted-cert -d -r trustRoot \ -k /Library/Keychains/System.keychain ca.crt # Remove CA from trust store sudo security delete-certificate -c "My Root CA"
Ubuntu / Debian
# Copy CA cert and update trust store sudo cp ca.crt /usr/local/share/ca-certificates/my-root-ca.crt sudo update-ca-certificates # Remove: delete the file and run update-ca-certificates --fresh
RHEL / CentOS / Fedora
sudo cp ca.crt /etc/pki/ca-trust/source/anchors/my-root-ca.crt sudo update-ca-trust extract
Windows (PowerShell — Run as Admin)
# Import CA to Trusted Root store Import-Certificate -FilePath "ca.crt" -CertStoreLocation Cert:\LocalMachine\Root # Or using certutil certutil -addstore -f "ROOT" ca.crt
12. Troubleshooting
Common commands for diagnosing SSL/TLS issues in production and development.
Test SSL Connection to a Server
# Connect and display server certificate openssl s_client -connect example.com:443 -servername example.com # Fetch and print the full certificate chain openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null # Show remote leaf certificate details openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | \ openssl x509 -noout -text # Show subject, issuer, serial, dates, and SAN openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | \ openssl x509 -noout -subject -issuer -serial -dates -ext subjectAltName
Verify Key Matches Certificate
# These two commands should output the same modulus hash openssl x509 -noout -modulus -in server.crt | openssl md5 openssl rsa -noout -modulus -in server.key | openssl md5 # If they match, the key belongs to the certificate
Check Certificate Dates & Expiry
# Show start and end dates openssl x509 -in server.crt -noout -dates # Check days until expiry openssl x509 -in server.crt -noout -checkend 2592000 # Returns 0 if valid for 30+ days, 1 if expiring within 30 days
Debug Full Certificate Chain
# Verify complete chain with verbose output openssl verify -verbose -CAfile ca.crt server.crt # Check a remote server's chain openssl s_client -connect example.com:443 -CAfile ca.crt 2>/dev/null | \ grep "Verify return code"
Check TLS Version & Cipher Used
# Test specific TLS version openssl s_client -connect example.com:443 -tls1_2 openssl s_client -connect example.com:443 -tls1_3 # List available ciphers openssl ciphers -v 'HIGH:!aNULL:!MD5'
13. Quick Reference
Common OpenSSL options and parameters.
| Option | Description |
|---|---|
-newkey rsa:2048 |
Generate new 2048-bit RSA key |
-newkey ec:prime256v1 |
Generate new ECDSA P-256 key |
-days 365 |
Certificate validity in days (max ~825 for browser trust) |
-sha256 |
Use SHA-256 hash algorithm (recommended minimum) |
-nodes |
No DES encryption — private key will not have a passphrase |
-x509 |
Output a self-signed certificate instead of a CSR |
-subj "/C=US/O=Org/CN=name" |
Set subject fields inline without interactive prompts |
-addext "extension" |
Add X.509 extension (OpenSSL 1.1.1+) |
-text -noout |
Print human-readable certificate details (no PEM output) |
-CAcreateserial |
Auto-create serial number file when signing with CA |
-extfile <file> |
Read extensions from external config file |
-config <file> |
Use custom OpenSSL configuration file |
-inform / -outform |
Specify input/output format: PEM (default) or DER |
-passin / -passout |
Supply passphrase via argument, file, env, or stdin |
Common File Extensions
| Extension | Description |
|---|---|
.key |
Private key (PEM or DER) — keep secret! |
.crt / .cer |
Certificate (PEM or DER) |
.csr |
Certificate Signing Request |
.pem |
Base64-encoded — can contain key, cert, or both |
.der |
Binary-encoded certificate or key |
.pfx / .p12 |
PKCS#12 bundle — key + cert + chain (password-protected) |
.ca-bundle |
Concatenated intermediate + root CA certificates |