How to Generate SSL Certificate using OpenSSL

Introduction

In this post, I will go over details of how to create SSL Certificates using OpenSSL on your server and online.

Our online SSL script generator will generate OpenSSL shell script code that you can copy to run on your FreeBSD, Linux and Windows servers.

What is OpenSSL?

OpenSSL is a set of cryptographic tools that provide various tools to generate various functions such as Certificate Signing Requests (CSR), private and public key generation as well as SSL Certificate generation used with Secure Sockets Layer (SSL) and Transport Layer Security (TLS) network protocols.

Where Do I Get OpenSSL For Windows and Linux

OpenSSL toolkit is not installed by the default setup of both Linux and Windows. Therefore you must download a software package for Windows or use the apt command for Linux to get OpenSSL.

Install OpenSSL on Linux

On Linux based systems, such as Ubuntu you can run the following command to install OpenSSL.

root@mars:~# sudo apt install openssl

Install OpenSSL on Windows

Windows does not have a central package manager that has bundled OpenSSL available. With that said there are multiple software packages available for Windows, which you may have already installed on your computer with OpenSSL command line tools bundled.

Here is a short list of available software packages. Downland any of these if you don’t have them installed.

  • Apache HTTPD Server: The web server has an OpenSSL tool in the bin folder.
  • Git for Windows: Comes with bundled OpenSSL.
  • MSYS2: A set of utilities built upon modified Cygwin tools.
  • OpenSSL Wiki: Different OpenSSL builds are available for you to download.

How to Generate SSL or TLS Certificate using OpenSSL

In this section, I will go over multiple ways to use OpenSSL.

Before doing so let review various types of encrypted docs.

  • CRT: cert and crt files are the signed certificates.
  • CSR: This is the certificate signing request, a challenge used by a trusted third party to verify the ownership of a keypair without having direct access to the private key. A CSR allows end users to be sure that the certificate is valid. In the self-signed case, the CSR will be used with your own private key to verify your private key.
  • KEY: key files are the private keys used by the server to encrypt and package data.

How to Generate Private Key with OpenSSL

To generate your private key, you need to specify the key algorithm, the key size, and an optional passphrase. The standard key algorithm is RSA, but you can also select different algorithms. But it is better to use an algorithm that is used commonly across most browsers and RSA is one such algorithm.

Type the following command to view all available encryption algorithms.

root@mars:~# openssl enc -list

Once you’re ready to generate your private key, run the command as shown below to generate a private key file using RSA encryption.

root@mars:~# openssl genrsa -out private.key 2048

Running OpenSSL command as shown above with create a 2048 bit encrypted key in the current folder.

Note: In the command above we are using 2048 bits for encryption. You can use more bits such as 4096 but doing so will slow down enc/dec process.

Generate a new Private Key and Certificate Signing Request

You can use an existing private key or create a new private key while generating a new CSR.

Use the command req to create a new private key and CSR.

root@mars:~# openssl req -new -out mydomain.csr

Note: The command req specifies that you want to use X.509 CSR. The X.509 is a public key infrastructure standard that SSL and TLS for its key and certificate management.

Multiple questions will be asked, with the first being a PEM passphrase..

If you are planning to create a self-signed certificate then you can just press enter on all prompts. But since a CSR is for a certificate you will need to enter your domain and location information or else the CSR will be invalid.

Following is the complete output of running this tool while generating a new private key.

root@mars:~# openssl req -new -out mydomain.csr
Generating a RSA private key
............................................................................................................................+++++
........................................+++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
sohail@mars:~$ ls
privkey.pem  mydomain.csr

Create Self Signed SSL Certificate

Using OpenSSL you can create your own SSL certificates. These don’t have to be signed by any certification authority.

To create your own SSL cert use the following command.

root@mars:~# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mykey.key -out mycert.crt

Note: Unlike the CSR generation you are not asked to enter a password for the key file here.

This openssl command will create a private key and a certificate file in the local folder. You will be asked to enter various organizational pieces of info, but you can just accept the defaults if you don’t want to enter those pieces of info for a self-signed certificate.

Pros & Cons of Using Self-Signed SSL Certificates

Listed below are few pros and cons of using self-signed SSL certificates.

Pros

  • You can create as many certificates as you want without any costs.
  • Great for use in development and testing environments.
  • If a company needs encryption and secure data for their internal non-public facing applications, then self-signed certificates are and excellent option.

Cons

  • Self signed certificates are not trusted by any of the browsers or operating systems.
  • They are unsafe for public facing applications.
  • Prone to man-in-the-middle attacks.

Conclusion

Using self-signed SSL/TLS certificates for internal development and testing makes the whole DevOps pipeline easier to manage. They are also great for use on internal non-public facing corporate applications as they do provide encryption and security for data transferred over the wire.

On my backend servers, where I use both Apache HTTPD and NGINX web servers I am using self-signed certificates for encryption and web server communication. Since I have the NGINX load balancers/proxy behind the Cloudflare CDN, I am able to host my websites publicly without running into any browser or security issues.

Let me know if you have any questions about any topic discussed in this post.