Introduction
Digital certificates are used everywhere in today's online world to identify users, services and to keep curious eyes away by securing network communication with encryption. Certificates come in many different encodings and file extensions and there is usually no room for error.
The goal of this post is to highlight some useful tools you can use when you are working with certificates to ensure you get exactly what you need or to help you get more information about a certificate you have run into. Since you sometimes won't be the one to be a part of every step of the creation and installation of a certificate, it's comforting to know everything looks right before you hand over your work to the next guy.
Decode a CSR
The creation of most certificates starts with a Certificate Signing Request, also known as a CSR. The request can be created either by the system or service that needs the certificate or by a third party who can create the request on behalf of whoever needs it. Regardless of how it is created, the CSR will contain a lot of information that is to be included in the finished, signed certificate. By decoding the CSR we can extract this information. While the CSR will look like mumbo-jumbo to a human because it is in what's called PEM-format, all these numbers and letters mean a lot of computer systems.
There are quite a few websites that in an instant can help you decode your CSR to reveal the information contained within it and I've taken a liking to one called SSL Shopper. They have many tools available on their website and one of them is a CSR Decoder. Don't worry about entering the CSR at some random website, the CSR doesn't contain any sensitive information. All you have to do is paste in the certificate signing request in its Base 64-format on the website and you'll see the information in the clear.
Decode a Certificate
You can also use their Certificate Decoder to extract the information from already issued certificates. It'll save you some time so you don't have to convert the certificate to a more "human-friendly" format. Paste in the certificate in its Base 64-format on the website and you'll see the information in the clear. In this example, I have downloaded and submitted the certificate information for the Swedish version of Google's website.
Automatically get the full chain of a trusted certificate
Every now and then you will run into a certificate that has been issued (signed) by a trusted third-party certificate authority. These kinds of certificates are generally trusted by most modern operating systems by default because they have been issued by well-established certificate authorities like GlobalSign, DigiCert, GeoTrust, and so on.
All of the big certificate authorities have several root and intermediate certificates that could potentially belong to the same certificate chain as the certificate you might be working with. Usually when a certificate is ordered the provider will send you the root and intermediate certificate together with the ordered certificate, but sometimes they may tell you to look at their website to download them yourself.
Every certificate contains information about which certificate authority issued the certificate and while you could dig out the information yourself, there are several websites that will speed things up a bit.
One of those sites is certificatechain.io. All you have to do is paste in your certificate in Base-64 format. You will then be able to download the complete certificate chain either as Base-64 or as a .CRT file.
Converting Certificates
While certificates follow well-known standards about how they should be structured, some systems and services prefer one certificate enoding or format over the other. In Windows, you can switch between different formats by changing the file extension from .pem to .cer or .der but sometimes you need to do a bit more to change the certificate format and that's when you can use a tool like SSL Converter. The converter is pretty simple; you pick what goes in and what should go out.
OpenSSL
The most powerful tool I have had to work with is OpenSSL, which is a CLI-based program that can do almost anything that has to do with certificates. You can do all kinds of decodes, generate CSRs, convert certificates from one format to the other, and so on. OpenSSL is incredibly powerful and might take some time to learn so I am not going to cover it in detail here but if you think you're up for it you can read more over at their website, where you also can download the program itself.
If you paid some attention to the different services offered by SSL Shopper above, you can see that the site is using OpenSSL, and the commands used to decode the CSR/certificate, etc. are shown above the windows where you paste in your certificate. The commands are not shown in my screenshots above but if you visit the website you'll see them.
Since OpenSSL is an open-source project and free to use, a lot of other software uses OpenSSL for their certificate shenanigans (like Cisco ISE).
The SSL Knowledge Base
While this isn't exactly a tool, the knowledge base over at SSL.com has a lot of good information and discussions for those who really want to dig deep into the certificate world. You can find a lot of explanations and good to know information about certificates in general.
I'll try to keep this post updated with new tools as I run into them.