OpenSSL Quick Guide

 

Checking OpenSSL Version

Check version of OpenSSL you are running:

openssl version -a

Using command, the following output was generated:

OpenSSL 1.1.1f  31 Mar 2020

built on: Wed Apr 28 00:37:28 2021 UTC

platform: debian-amd64

options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr) 

compiler: gcc -fPIC -pthread -m64 -Wa ....

OPENSSLDIR: "/usr/lib/ssl"

ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"

Seeding source: os-specific

Generating Private Key

Generate private key using the RSA algorithm:

openssl genrsa -out yourdomain.key 2048

Extracting Public Key

Command to extract your public key from private key:

openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key

Creating CSR

Create a CSR using newly generated private key:

openssl req -new -key yourdomain.key -out yourdomain.csr

After entering the command, you will be asked series of questions.

Country Name (2 letter code)The two-letter country code where your company is legally located.
State or Province Name (full name)The state/province where your company is legally located.
Locality Name (e.g., city)The city where your company is legally located.
Organization Name (e.g., company)Your company's legally registered name (e.g., YourCompany, Inc.).
Organizational Unit Name (e.g., section)The name of your department within the organization. (You can leave this option blank; simply press Enter.)
Common Name (e.g., server FQDN)The fully-qualified domain name (FQDN) (e.g., www.example.com).
Email AddressYour email address. (You can leave this option blank; simply press Enter.)
A challenge passwordLeave this option blank (simply press Enter).
An optional company nameLeave this option blank (simply press Enter).

Verifying CSR Information

Command to view the information in newly CSR before submitting it to a CA:

openssl req -text -in yourdomain.csr -noout -verify

Running this command provides you with the following output:

verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Utah, L=Lehi, O=Your Company, Inc., OU=IT, CN=yourdomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Generate self signed certificate

Command to self signed certificate using CSR:

openssl x509 -signkey yourdomain.key -in yourdomain.csr -req -days 365 -out yourdomain.crt

Generate private key and CSR from configuration file

Command to generate private key using configuration file:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr -config yourdomain.cnf

Here is a complete example ssl.cnf file.


Generate CA signed certificate using configured generated key and CSR:

Command to generate CA signed certificate:

openssl x509 -req -days 360 -in yourdomain.csr -CA yourrootca.crt -CAkey yourrootca.key -CAcreateserial -out yourdomain.crt
  1 Like
0 Comment