Cancel

OpenSSL command in Linux

OpenSSL is an open-source command line tool that is commonly used to generate Private Key, Certificate Signing Request (CSR), install SSL/TLS certificates, and identify certificate information too.

Certificate Signing Request (CSR) Fields

Field Meaning Example
/C= Country AE
/ST= State DU
/L= Location Dubai
/O= Organization Example
/OU= Organizational Unit IT Department
/CN= Common Name example.com

Self-Signed SSL Certificate

Run 'openssl req -h or openssl x509 -h' and read why we are using below options

You will need a Private Key and CSR to generate Certificate. Run following commands to generate certificate.

  1. Generate example.key and example.csr files
    1
    2
    3
    4
    5
    6
    7
    8
    9
    
    # if you don't want to set password then
    # replace `-nodes` with `-passin pass:1234`
    openssl req \
      -new \
      -newkey rsa:4096 \
      -passin pass:1234 \
      -subj "/C=AE/ST=DU/L=Dubai/O=Example/OU=IT Department/CN=example.com/emailAddress=my@email.com" \
      -keyout example.key \
      -out example.csr
    
  2. Finally, generate Certificate from these 2 files which we have just created with above command.
    1
    2
    3
    4
    5
    6
    7
    
    openssl x509 \
      -req \
      -sha256 \
      -days 365 \
      -in example.csr \
      -signkey example.key \
      -out example.crt
    

shortcut: you can generate example.{crt,key} at once using

1
2
3
4
5
6
7
openssl req \
  -x509 \
  -days 10 \
  -nodes \
  -newkey rsa:2048 \
  -keyout /etc/nginx/ssl/self.key \
  -out /etc/nginx/ssl/self.crt

Userful Cheatsheets

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# View SSL Certificate
openssl x509 -noout -text -in example.crt

# View Private Key
openssl rsa -check -in example.key

# Create Private Key
openssl genrsa -aes256 -passout pass:1234 -out example.key 4096

# Create Public Key from Private Key
openssl rsa -pubout -in example.key -out example.pub

# Remove Passphrase from Private Key
openssl rsa -aes256 -in example.key -out example_new.key

# Convert .CRT/.CER/.DER to .PEM or just rename the file :smile:
openssl x509 -inform pem -in example.crt -out example.pem