SSL / OpenSSL / Certificates Cheat Sheet

OpenSSL Commands

Display certificate information


# For a certificate signing request
openssl req -text -noout -in $DOMAIN.csr.pem
# For a generated certificate
openssl x509 -in $DOMAIN.crt.pem -noout -text

Standards and Formats

X.509 certificates are used

Certificate filename extensions

Common filename extensions for X.509 certificates are:

  • .pem – (Privacy Enhanced Mail) Base64 encoded DER certificate,
    enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
  • .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)


Self-signed certificates

PKI root certificate URL:

PKI class 3 certificate URL: