OpenSSL Step by Step Tutorial: How to Generate Self Signed Certificate, Keys and CSR Using OpenSSL

By | July 21, 2020

OpenSSL is a widely used and a well known open source tool for generating self signed certificates, private keys, CSRs (Certificate Signing Requests) and for converting certificates from one format to another. Other than OpenSSL, Java Key Took is also a commonly used command line tool for certificates, keys and CSRs generation and I have another video tutorial, explaining how to use Java KeyTool for self signed certificates. Another graphical tool used for generating Self Signed SSL/TLS certificates is Portecle and I have another tutorial explaining how to use Portecle for generating SSL/TLS certificates and keystores.

OpenSSL Step By Step Tutorial for Generating Private Keys, Certificates, CSR and Self Signed Certificate

In this tutorial, I will walk you through different steps along with explanation of various commands and options used for generating keys, CSRs, certificates.

Before you proceed make sure that you have openSSL downloaded and is working fine on your machine. To know about how to setup openssl on your windows/linux machne, follow the instructions provided on OpenSSL official site.

If you prefer this tutorial in video format, you can watch it below on TutorialsPedia YouTube channel:

If you prefer going through this openSSL tutorial in text format instead, continue below.

To confirm that OpenSSL is installed and configured properly on your machine, run below command which will provide you details about openSSL version available on your machine:

openssl version -a

How to Genrate a Private Key Using OpenSSL

The first important step is to generate a key. A key file that we will generate will be containing private key as well as associated public key which we will extract into another file.

To generate a key for a domain named tutorialspedia, we will use below command:

openssl genrsa -out tutorialspedia.key 2048

The above command will generate a key using RSA algorithm with key length provided as 2048 bits. The command will generate the key in the provided file and you can open the file and check the content which will be in PEM format. In Linux you can use cat command to read file content and in Windows you can type command. Remember that PEM file that you will read using these commands will provide you file content but content will be PEM encoded and you won’t be able to understand those.

How to Extract Public Key from a Key File Using OpenSSL

The key file that you generated above actually contains a key-pair (a private key as well an associated public key). OpenSSL provided you options to export public key using below command:

openssl rsa -in tutorialspedia.key -pubout -out tutorialspedia_public.key

The above command exports public key from our keypair and saves it in a file with the name tutorialspedia_public.key

How to Create Certificate Signing Request (CSR) using OpenSSL

So far we have created a keypair and extracted public key from that. For the private key generated, next important step is to get it signed by a CA (Certification Authority) or else self-sign it. For that purpose, we need to generate a CSR with below command:

openssl req -new -key tutorialspedia.key -out tutorialspedia.csr

The above command will use our private key and generate a CSR file with provided name. When you will run this command, you will be prompted with a series of questions which you need to answer with required information.

How to Verify a CSR file Using OpenSSL

Once you have created your CSR file, you can cross check and verify to make sure all information provided is correct before you send it to a CA for signing or proceed with self-signing.

To verify a CSR, you can use below command in OpenSSL:

openssl req -text -in tutorialspedia.csr -noout -verify

How to Self-Sign a Certificate Using Private Key

Once a CSR has been generated, in actual production scenarios, a CA’s services are used to get the certificate signed and for that purpose, CSR is provided to CA (e.g. verisign, digicert etc.). However, for certain internal use-cases or for test purposes, you can opt for self-signed certificates in which case certificate signing is done by yourself rather than a CA.

In order to sign our certificate with our own private key, we will use below openSSL command:

openssl x509 -in tutorialspedia.csr -out tutorialspedia.crt -req -signkey tutorialspedia.key -days 365

Above command will sign the certificate with our own private key and validity will be for one year as specified.

I hope that this tutorial will be helpful for you to understand how Open SSL tool can help generating keys, CSR and self signed certificates. Feel free to comment below if you have any feedback or any further help required on this subject.

Ajmal Abbasi

Ajmal Hussain Abbasi is Integration Consultant By Profession with 13+ years experience in Integration domain mainly with TIBCO products. He has extensive practical knowledge of TIBCO Business Works, TIBCO Cloud, TIBCO Flogo, TIBCO Mashery, TIBCO Spotfire, EMS and TIBCO ActiveSpaces. He has worked on a number of highly critical integration projects in various sectors by using his skills in TIBCO Flogo, TIBCO API Management (Mashery), TCI, Tibco Designer, TIBCO Business Studio, Adapters, TIBCO EMS, RV, Administrator, TIBCO BE, TIBCO ActiveSpaces etc. Ajmal Abbasi has experience with MuleSoft ESB as well. Ajmal Abbasi is also experienced in the area of API Management particularly with WSO2 API management platforms. Ajmal Abbasi is also experienced in developing solutions using Core Java and J2EE Technologies. You can contact Ajmal Abbasi for Consultancy, Technical Assistance and Technical Discussions.

More Posts - Website - Facebook - LinkedIn - YouTube

4 thoughts on “OpenSSL Step by Step Tutorial: How to Generate Self Signed Certificate, Keys and CSR Using OpenSSL

  1. pradnya

    please help if I get ssl handshake issue.
    getting error:caused by: Failed to create secure client socket: Received fatal alert: handshake_failure

  2. Pingback: TIBCO BW6 REST Web Service: One Way & Two Way SSL in BW6 REST Service

  3. Pingback: CA Signed Certificate from CSR Certificate Signing Request

  4. Vinu

    How to use private key in tibco? Your other tutorial talks about using keystore but I am not able to figure out how the files generated using openssl can be used for implementing ssl in tibco bw 6


Leave a Reply

Your email address will not be published. Required fields are marked *