Working with TLS/SSL Certificate


TLS and SSL are the same protocol. In 1996, the Internet Engineering Task Force formed a group to study having a standardized version of web browser encryption. Likewise, they got together with several companies, including Microsoft and Netscape, and decided to take the SSL protocol and write it into a standard. SSL has been renamed to TLS on 1999.


Early research efforts towards transport layer security included the Secure Network Programming (SNP) application programming interface (API), which in 1993 explored the approach of having a secure transport layer API closely resembling Berkeley sockets, to facilitate retrofitting pre-existing network applications with security measures.


What is Public and Private Key

Basically, the public/private key pair is used in digital certificates.

To clarify, a private key is one half of the pair. The private key is created before or during the time in which the Certificate Signing Request (CSR) is created.

In addition, a CSR is a public key that is generated on a server or device according to the server software instructions.

Exchange keys

A client sends a public key request to server and server sends back the agreed public key. Furthermore, the client and server both use the same algorithm using their own private key and found the Encryption Key.

Request a certificate

There are three steps to request a certificate from a CA

  1. Generate Private Key
  2. Generate Certificate Request using Private Key
  3. Send the certificate to Certificate Authority (CA)

1. Generate Private Key

openssl genrsa -out cabbage.private.key 2048

The command will generate a private key. After generating the private key please Keep it safe. Therefore, no matter how much cybersecurity or end-point security you have in place if private keys are mismanaged then all security measures have been undermined.


For instance, OpenSSL genrsa can be used to generate private key using

SymmetricRSA Key Length

Table 1: RSA Key Sizes (in bits) [more]

2. Generate Certificate Request using Private Key

Secondly, we need to create a Certificate Signing Request (CSR) with the previously created private key

openssl req -new -sha256 -key cabbage.private.key -out cabbage.certificate.csr


PKCS#10 certificate request and certificate generating utility. It can additionally create self-signed certificates for use as root CAs for example. You may find more details here

3. Send the certificate to Certificate Authority (CA)

Finally, you need to send this CSR file to Certificate Authority. CA will use the Root certificate or Intermediate Certificate to create the Certificate. In most cases, it is created in Privacy Enhanced Mail PEM format

 openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001 

Certificate File Formats

Consequently, SSL has been around for long enough that there are too many Standards.

  1. .csr – This is a Certificate Signing Request.
  2. .pem – Defined in RFCs 1421 through 1424, this is a container format that may include just the public certificate, or may include an entire certificate chain including public key, private key, and root certificates.
  3. .key – This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one.
  4. .pkcs12 .pfx .p12 – defined by RSA in the Public-Key Cryptography Standards, the “12” variant was originally enhanced by Microsoft
  5. .der – A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file.
  6. .cert .cer .crt – A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
  7. .crl – A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration.

In brief, there are four different ways to present certificates and their components:

  • PEM – Governed by RFCs, it is used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)
  • PKCS7 – An open standard used by Java and supported by Windows. And also this does not contain private key material.
  • PKCS12 – A Microsoft private standard that was later defined in an RFC that provides enhanced security versus the plain-text PEM format. In contrast, it can contain private key material. It’s used preferentially by Windows systems. In addition, you can freely convert to PEM format through the use of OpenSSL.
  • DER – The parent format of PEM. It’s useful to think of it as a binary version of the base64-encoded PEM file. But outside of Windows, it is not routinely used very much .

Off the record, this is partially copied from a StackOverflow answer

Certificate Chain

The certificate chain, also known as the certificationpath , is a list of certificates used to authenticate an entity. The chain, or path, begins with the certificateof that entity, and each certificate in the chain is signed by the entity identified by the next certificate in the chain.

How certificate chains work
Certificate Chain used to sign a server certificate

Certificate Conversions

Certainly, you can covert certificates online without installing any tools


There are many tools, for example, OpenSSL, Key Explorer can be used to work with certificates


Ordinarily, you can use the OpenSSL utility to generate a Private Key, Certificate Signing Request (CSR) and Self-Signed Certificate. Thus, all the commands mentioned above are using OpenSSL

Helpful commands

For instance, If you want to view the server certificate in command prompt.

openssl s_client -connect -showcerts 

Consequently, you can use the following command to generate private key

openssl genrsa -out filename.private.key 2048

Meanwhile, to create the certificate request with the private key use the command below

openssl req -new -sha256 -key filename.private.key -out filename.certificate.csr

Besides, if a server certificate conversion is required from PEM to P12 format

openssl pkcs12 -export -in server.certificate.pem -inkey filename.private.key -out server.cert.combined.privatekey.p12

KeyStore Explorer

Likewise, KeyStore Explorer is an open-source GUI replacement for the Java command-line utilities keytool and jarsigner. Moreover, you need JVM to install this

You can download from here

In addition, More about supported Features.


Above all, there are some websites that you can verify TLS certificates and do the conversion. SSLShopper


  1. Pluralsight course: Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic in Wireshark (Using HTTPs) Module 2
  2. What is a private key/public key pair?
  3. Verifying the validity of an SSL certificate
  4. ECC Cipher Suites for TLS
  5. Finally, What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

I would like to hear your thoughts