OpenSSL Quick Guide
Checking OpenSSL Version
Check version of OpenSSL you are running:
openssl version -a
Using command, the following output was generated:
OpenSSL 1.1.1f 31 Mar 2020
built on: Wed Apr 28 00:37:28 2021 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa ....
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific
Generating Private Key
Generate private key using the RSA algorithm:
openssl genrsa -out yourdomain.key 2048
Extracting Public Key
Command to extract your public key from private key:
openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key
Creating CSR
Create a CSR using newly generated private key:
openssl req -new -key yourdomain.key -out yourdomain.csr
After entering the command, you will be asked series of questions.
Country Name (2 letter code) | The two-letter country code where your company is legally located. |
State or Province Name (full name) | The state/province where your company is legally located. |
Locality Name (e.g., city) | The city where your company is legally located. |
Organization Name (e.g., company) | Your company's legally registered name (e.g., YourCompany, Inc.). |
Organizational Unit Name (e.g., section) | The name of your department within the organization. (You can leave this option blank; simply press Enter.) |
Common Name (e.g., server FQDN) | The fully-qualified domain name (FQDN) (e.g., www.example.com). |
Email Address | Your email address. (You can leave this option blank; simply press Enter.) |
A challenge password | Leave this option blank (simply press Enter). |
An optional company name | Leave this option blank (simply press Enter). |
Verifying CSR Information
Command to view the information in newly CSR before submitting it to a CA:
openssl req -text -in yourdomain.csr -noout -verify
Running this command provides you with the following output:
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Utah, L=Lehi, O=Your Company, Inc., OU=IT, CN=yourdomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Generate self signed certificate
Command to self signed certificate using CSR:
openssl x509 -signkey yourdomain.key -in yourdomain.csr -req -days 365 -out yourdomain.crt
Generate private key and CSR from configuration file
Command to generate private key using configuration file:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr -config yourdomain.cnf
Here is a complete example ssl.cnf file.
Generate CA signed certificate using configured generated key and CSR:
Command to generate CA signed certificate:
openssl x509 -req -days 360 -in yourdomain.csr -CA yourrootca.crt -CAkey yourrootca.key -CAcreateserial -out yourdomain.crt