September 26, 2020

OpenSSL - Generate Private Key, CSR and Certificate

OpenSSL is a robust, commercial-grade tool for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Its an open-source command line tool that is commonly used to:

  • Generate private keys
  • Create CSRs
  • Install your SSL/TLS certificate
  • Identify certificate information.

In this we will see how to generate Private Keys, CSRs and Certificate.

If you do not have openssl already installed, you can download it from https://www.openssl.org/source/

Lets start creating the CSR and then Self-Signed Certificate.

Generate a private key.

Run this command to generate private key:

openssl genrsa -out mycertificate.key 4096

Create a certificate signing request (CSR)

This would be a .csr file used to send to a Certificate Authority (CA) (e.g., DigiCert) to request a public SSL certificate, since we are generating a self-sgined certificate so we will not send the generated CSR to a Certificate Authority (CA), but will create our own certificate .cer file using openssl.

The CSR contains the common name and some other information. Here is the command you need to create CSR.

openssl req -sha256 -new -key mycertificate.key -out mycertificate.csr

After entering this command, you will be asked series of questions.

Here is the short description of questions.

  • Country Name (2 letter code): The two-letter country code where the company is legally located.
  • State or Province Name (full name): The state/province where the company is located.
  • Locality Name (e.g., city): The city where the company is located.
  • Organization Name (e.g., company): Company's legally registered name (e.g., MyCompany).
  • Organizational Unit Name (e.g., section): The name of the department within the organization. (To leave it blank; simply press Enter.)
  • Common Name (e.g., server FQDN): The fully-qualified domain name (FQDN) (e.g., www.mycompany.com).
  • Email Address: Your email address. (To leave it blank; simply press Enter.)
  • A challenge password: You password. (To leave it blank; simply press Enter).
  • An optional company name: Optional Company Name (To leave it blank; simply press Enter).

Your answers to these questions will be embedded in the CSR.

From the above command, it will store the CSR information in mycertificate.csr file.

Generate a certificate (cer file) from CSR.

Run this command to create certificate(.cer) file from CSR.

openssl x509 -req -sha256 -days 365 -in mycertificate.csr 
       -signkey mycertificate.key -out mycertificate.cer

Using our previsouly generated key and CSR, here we are generating the certificate (.cer) file with validity of 365 days.

Convert .cer file to .crt file.

You can use the folllowing command to create .crt file from .cer file (.crt may need if you want to create a child certificate being signed from this mycertificate)

openssl x509 -inform PEM -in mycertificate.cer -out mycertificate.crt

Extract Public Key

If you want to extract the public key, you can use this command:

openssl rsa -in mycertificate.key -pubout > mycertificate.pub

It will generate the public key in mycertificate.pub file.

Generate PFX(or PKCS#12) file for the certificate.

The PFX or PKCS#12 format is a binary format for storing the certificate and private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12

openssl pkcs12 -export -out mycertificate.pfx -inkey mycertificate.key 
        -in mycertificate.cer

References:

Related Post(s):

No comments:

Post a Comment