OpenSSL is an open-source command line tool that is commonly used to generate Private Key, Certificate Signing Request (CSR), install SSL/TLS certificates, and identify certificate information too.
Certificate Signing Request (CSR) Fields
| Field | Meaning | Example |
|---|---|---|
| /C= | Country | AE |
| /ST= | State | DU |
| /L= | Location | Dubai |
| /O= | Organization | Example |
| /OU= | Organizational Unit | IT Department |
| /CN= | Common Name | example.com |
Self-Signed SSL Certificate
Run 'openssl req -h or openssl x509 -h' and read why we are using below options
You will need a Private Key and CSR to generate Certificate. Run following commands to generate certificate.
- Generate
example.keyandexample.csrfiles1 2 3 4 5 6 7 8 9
# if you don't want to set password then # replace `-nodes` with `-passin pass:1234` openssl req \ -new \ -newkey rsa:4096 \ -passin pass:1234 \ -subj "/C=AE/ST=DU/L=Dubai/O=Example/OU=IT Department/CN=example.com/emailAddress=my@email.com" \ -keyout example.key \ -out example.csr
- Finally, generate Certificate from these 2 files which we have just created with above command.
1 2 3 4 5 6 7
openssl x509 \ -req \ -sha256 \ -days 365 \ -in example.csr \ -signkey example.key \ -out example.crt
shortcut: you can generate example.{crt,key} at once using
1
2
3
4
5
6
7
openssl req \
-x509 \
-days 10 \
-nodes \
-newkey rsa:2048 \
-keyout /etc/nginx/ssl/self.key \
-out /etc/nginx/ssl/self.crt
Userful Cheatsheets
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# View SSL Certificate
openssl x509 -noout -text -in example.crt
# View Private Key
openssl rsa -check -in example.key
# Create Private Key
openssl genrsa -aes256 -passout pass:1234 -out example.key 4096
# Create Public Key from Private Key
openssl rsa -pubout -in example.key -out example.pub
# Remove Passphrase from Private Key
openssl rsa -aes256 -in example.key -out example_new.key
# Convert .CRT/.CER/.DER to .PEM or just rename the file :smile:
openssl x509 -inform pem -in example.crt -out example.pem
