Openssl TLS https certificates

Generating and converting OpenSSL

How to generate CSR, verify and convert to different formats.

Generate CSR with alternative name

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -addext "subjectAltName ="

server.key file should be kept SECRET!

This CSR should be sent to Certificate Authority. In return you’ll receive a signed certificate, that could be in DER format. Below you’ll find how to convert it to PEM format.



openssl req -text -noout -verify -in server.csr

Public Cert (CER) inform DER

openssl x509 -inform der -noout -text -in server.cer


DER -> PEM (eg. for nginx)

openssl x509 -inform der -in server.cer -out server.pem

Certificate Authority Chain

The certificate in PEM format should have CA chain appended to it. To do that, first find CA chain of your Certificate authority and then simply cat ca_chain >> server.pem. Just remember, that it also has to be in PEM format.