This article contains frequently used OpenSSL commands and is designed to help provide guidance when generating certificate signing requests (CSR). Learn here how to configure Acronis Cyber Files with trusted server certificates. OpenSSL downloads for Windows are available here. OpenSSL is not maintained or supported by Acronis. For complete documentation and support regarding OpenSSL you should visit the OpenSSL website.
You can use the current version 1 branch Win32 'Light' version, as it contains all the necessary components. It can be installed on another computer and does not need to be installed on the Acronis Cyber Files server.
Depending on the operating system version, you may need to install a Microsoft Visual C++ Redistributable Package (x86) available at Microsoft Visual C++ Redistributable latest supported downloads.
To create a certificate signing request (CSR), use this command. It will output a .csr file and a private key .pem file:
openssl req -new -out hostname.domain.tld.csr -sha256
If you need to specify a key length, you can use this command extension, replacing 2048 with the key length you need:
openssl req -new -newkey rsa:2048 -out hostname.domain.tld.csr -sha256
If you would like the private key to not be encrypted, use the nodes option:
openssl req -new -newkey rsa:2048 -out hostname.domain.tld.csr -nodes -sha256
When you have your signed certificate in PEM format, you can combine it with the unencrypted private key into a .pfx file suitable for importing into the Windows certificate store.
Combine PEM certificate and private key into pfx for Windows using this command:
openssl pkcs12 -export -in [filename.ext] -inkey [privkey.pem] -out [filename.pfx]
If you need to include an intermediate certificate in the certificate chain, you can do that using this command:
openssl pkcs12 -export -in [filename.ext] -inkey [privkey.pem] -out [filename.pfx] -certfile [CAfilename.ext]
You can use this command to tell if your private key .key file is encrypted with a passphrase:
openssl rsa -text -noout -in [privkey.pem]
If the key is encrypted with a passphrase, you will be prompted to enter the passphrase before the command will complete.
In the event your private key file is encrypted with a passphrase, you should export the key to an unencrypted file using this command before combining with your signed certificate:
openssl rsa -in [filename.ext] -out [privkey.pem]
(Note: OpenSSL 3 defaults to encryption that cannot be imported into Windows Server 2016 or earlier, you can continue to use OpenSSL 1 for these older operating systems.)
You can use this command to confirm a certificate is PEM encoded:
openssl x509 -in [filename.ext] -text -noout
You can use this command to confirm a certificate is DER encoded:
openssl x509 -in [filename.ext] -inform der -text -noout
You can use this command to export a DER encoded certificate to a PEM encoded certificate file:
openssl x509 -inform der -in [certificate.cer] -out [certificate.pem]
If you need to confirm that a private key is the right key to combine with a signed certificate, you can do this by confirming the modulus values match.
Display the modulus for a key file:
openssl rsa -noout -modulus -in [privkey.pem]
Display the modulus for a certificate:
openssl x509 -noout -modulus -in [certificate.pem]
Display the modulus for a certificate signing request:
openssl req -noout -modulus -in [hostname.domain.tld.csr]
Your certificate signing vendor may provide you with a PKCS#7 (.p7b) encoded signed certificate file that you will need to export to a PEM encoded certificate file before combining with your private key. You can use this command:
openssl pkcs7 -print_certs -in [filename.p7b] -out [filename.pem]
If you have a PKCS#12 (.pfx) encoded file that contains a certificate or a certificate chain and a private key, you can use these commands to export them.
This command will export the host certificate:
openssl pkcs12 -in [filename.pfx] -nokeys -out [hostcert.cer]
This command will export the intermediate chain certificate:
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | openssl x509 -out <chaincert.cer>
This command will export the private key:
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | openssl pkcs8 -nocrypt -out <privkey.pem>
This command will convert PEM encoded certificates to PKCS7 (P7B):
openssl crl2pkcs7 -nocrl -certfile [filename.pem] -out [filename.p7b]
If you need to include an intermediate certificate, you can use this command:
openssl crl2pkcs7 -nocrl -certfile [filename.pem] -out [filename.p7b] -certfile CACert.cer