Virginia Tech Certification Authority

Technical PKI FAQ

General Technical Information

Certificate Signing Request (CSR)Creation Information

Server Information

How to's


What is OpenSSL?

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

What is PKCS #12?

PKCS #12 or Public Key Cryptography Standard #12 is a standard for securely storing private keys and certificates. It is often used by browsers including Mozilla Firefox and Microsoft Internet Explorer for transporting keys when using import and export functions.

How are certificates stored?

Certificates are kept in special repositories called keystores and can be distributed in several different formats:
1. X509 format (.cer and .crt file-extension for Windows) certificate is widely supported. This file represents the individual certificate.
2. Cryptographic Message Syntax -PKCS #7 Format (.p7b file extension for Windows) This format is used for exporting complete chain.
3. Personal Information Exchange syntax -PKCS #12 Format (.pfx and .p12 file extensions for Windows). This format is used for exporting the public/private key pair. Very helpful in importing key pairs to the browsers.
4. Certificate Signing Request (CSR) Syntax -PKCS #10 Format. This format is used for generating signing requests to trusted certificate signing authorities.



How can I display the content of a certificate using OpenSSL?

$openssl x509 -in cert.pem -noout -text



How can I display the certificate MD5 fingerprint using OpenSSL?

$openssl x509 -in cert.pem -noout -fingerprint



How can I convert a certificate from PEM to DER format using OpenSSL?

$openssl x509 -in cert.pem - inform PEM -out cert.der -outform DER



How can I tell PEM format from DER?

You can start by editing the file, If the file starts with "------begin ------" and the file contains data that looks like this:

UVMFfq342wkq9Yo/g+4tIWsrA23om5xVhXmMtnS+ACl0YUDcotkYJMnb+dr MWO+am

"-----end ------"

then it is a PEM format. If the file looks like a binary file where there is nothing understandable, then it is DER



How can I test SSL/TLS certificates that are revoked or expired?

The VT Global Qualified Web Server CA hosts the following test web pages that allow you to test your software with certificates that are (i) valid, (ii) revoked, and (iii) expired.
(i) valid -
(ii) revoked -
(iii) expired -



Can I use the Internet Information Services (IIS) Certificate Wizard to make a CSR for the VTCA?

Yes, however, you may want to backup or export your current certificate before removing it. Your certificate must have at least a 2048 key.

Follow the directions at



How can I generate RSA key pair and make a PKCS #10 request using OpenSSL?

  1. Generate the RSA key pair and certificate signing request (CSR) as follows (use the default file names key.pem and req.pem or substitute your own file names):
    $openssl req -newkey rsa:2048 -keyout key.pem -out req.pem -nodes

    If you wish to encrypt your private key then do not include the -nodes option.

  2. Detailed directions are at OpenSSL + Related



How can I package my certificate and its corresponding private key into a PKCS #12 file?

You will receive your certificate from IMCS in DER format. You must convert it to PEM format.
$openssl x509 -inform DER -in download.cer -outform PEM -out download.pem

Then you can package your certificate to a PKCS #12 file using the below OpenSSL command:

openssl pkcs12 -export -inkey key.pem -in download.pem -out myserver.p12 -name "my test cert"

download.cer is: The certificate you received from IMCS
key.pem: The key you created when you made your CSR request
myserver.p12:is the output file where the PKCS #12 file will be stored
my test cert: just a friendly name that can be anything you like



How can I configure TLS/SSL for OpenLDAP server?

Reference for the latest information on configuring TLS/SSL for OpenLDAP servers.



How can I use certificates with servers like Apache and Tomcat?

Reference: for the latest information on configuring Apache and Tomcat servers



How do I create and install VT SSL Server cert for Windows 2008 Server using IIS Certificate Wizard?

Follow the directions provided at Install Virginia Tech Server Certificate using IIS Certificate Wizard.


How can I find my certificate by certificate serial number on the EJBCA website?

The serial number given for a cert in Mac keychain, doesn't work correctly for search for certificate on the EJBCA website, use the serial number that is called "other name" instead.






Last updated on April 14, 2017