OpenSSL is a widely used and a well known open source tool for generating self signed certificates, private keys, CSRs (Certificate Signing Requests) and for converting certificates from one format to another. Other than OpenSSL, Java Key Took is also a commonly used command line tool for certificates, keys and CSRs generation and I have another video tutorial, explaining how to use Java KeyTool for self signed certificates. Another graphical tool used for generating Self Signed SSL/TLS certificates is Portecle and I have another tutorial explaining how to use Portecle for generating SSL/TLS certificates and keystores.
OpenSSL Step By Step Tutorial for Generating Private Keys, Certificates, CSR and Self Signed Certificate
In this tutorial, I will walk you through different steps along with explanation of various commands and options used for generating keys, CSRs, certificates.
Before you proceed make sure that you have openSSL downloaded and is working fine on your machine. To know about how to setup openssl on your windows/linux machne, follow the instructions provided on OpenSSL official site.
If you prefer going through this openSSL tutorial in text format instead, continue below.
To confirm that OpenSSL is installed and configured properly on your machine, run below command which will provide you details about openSSL version available on your machine:
openssl version -a
How to Genrate a Private Key Using OpenSSL
The first important step is to generate a key. A key file that we will generate will be containing private key as well as associated public key which we will extract into another file.
To generate a key for a domain named tutorialspedia, we will use below command:
openssl genrsa -out tutorialspedia.key 2048
The above command will generate a key using RSA algorithm with key length provided as 2048 bits. The command will generate the key in the provided file and you can open the file and check the content which will be in PEM format. In Linux you can use cat command to read file content and in Windows you can type command. Remember that PEM file that you will read using these commands will provide you file content but content will be PEM encoded and you won’t be able to understand those.
How to Extract Public Key from a Key File Using OpenSSL
The key file that you generated above actually contains a key-pair (a private key as well an associated public key). OpenSSL provided you options to export public key using below command:
openssl rsa -in tutorialspedia.key -pubout -out tutorialspedia_public.key
The above command exports public key from our keypair and saves it in a file with the name tutorialspedia_public.key
How to Create Certificate Signing Request (CSR) using OpenSSL
So far we have created a keypair and extracted public key from that. For the private key generated, next important step is to get it signed by a CA (Certification Authority) or else self-sign it. For that purpose, we need to generate a CSR with below command:
openssl req -new -key tutorialspedia.key -out tutorialspedia.csr
The above command will use our private key and generate a CSR file with provided name. When you will run this command, you will be prompted with a series of questions which you need to answer with required information.
How to Verify a CSR file Using OpenSSL
Once you have created your CSR file, you can cross check and verify to make sure all information provided is correct before you send it to a CA for signing or proceed with self-signing.
To verify a CSR, you can use below command in OpenSSL:
openssl req -text -in tutorialspedia.csr -noout -verify
How to Self-Sign a Certificate Using Private Key
Once a CSR has been generated, in actual production scenarios, a CA’s services are used to get the certificate signed and for that purpose, CSR is provided to CA (e.g. verisign, digicert etc.). However, for certain internal use-cases or for test purposes, you can opt for self-signed certificates in which case certificate signing is done by yourself rather than a CA.
In order to sign our certificate with our own private key, we will use below openSSL command:
openssl x509 -in tutorialspedia.csr -out tutorialspedia.crt -req -signkey tutorialspedia.key -days 365
Above command will sign the certificate with our own private key and validity will be for one year as specified.
I hope that this tutorial will be helpful for you to understand how Open SSL tool can help generating keys, CSR and self signed certificates. Feel free to comment below if you have any feedback or any further help required on this subject.