Notes on openssl

Russell Bateman
July 2022
last update:




What is a signed certificate?

A signed certificate is an SSL/TLS certificate signed by a public or commercially private certificate authority using their root certificate authority (CA) and private key. The steps to getting a signed certificate are:

  1. Create a CSR with a private key containing details about location, organization and FQDN.
  2. Send the CSR to the trusted CA authority, plus money, and wait for the signed certificate to return.

What is a self-signed certificate?

A self-signed certificate is an SSL/TLS certificate not signed by a public or commercially private certificate authority. Instead, it's signed by the creator's own personal or root CA certificate which is free.

  1. Create a root certificate and private key containing details about (our own) location, organization and FQDN.
    $ openssl req
             -x509                                             \   output self-signed certificate instead of certificate request
             -sha256                                           \   hash strength                                                
             -days   356                                       \   certificate's lifespan in days
             -nodes                                            \   means "no DES encryption" meaning it's not encrypted—don't use this!
             -newkey rsa:2048                                  \   creates new certificate and key                              
             -subj   "/" \   subject name                                                 
             -keyout root.key                                  \   new private key's filename                                   
             -out    root.crt                                  
    Generating a RSA private key
    writing new private key to 'root.key'
    openssl req -x509 sha256 -days 356 -pass:changeit -newkey rsa:2048 -subj "/" -keyout root.key -out root.crt [copy this command]
  2. Create a server private key to generate a certificate signing request. openssl is majorly broken as well as ill designed and even worse documented: you have to add a key by hand.
    $ openssl genrsa -out server.key 2048
    Generating RSA private key, 2048 bit long modulus (2 primes)
    e is 65537 (0x010001)
    openssl genrsa -out server.key 2048 [copy this command]
    $ openssl rsa -des3 -in server.key -out
    openssl rsa -des3 -in server.key -out [copy this command]
    $ rm server.key
    $ mv server.key
  3. Create an SSL certificate using our own root certificate authority and private key.

    Use an editor to create a configuration file first to make this easier. Then use this file in the command.

    $ vim csr.conf
    $ openssl req -new -key server.key -out server.csr -config csr.conf
    [ req ]
    default_bits = 2048
    prompt = no
    default_md = sha256
    req_extensions = req_ext
    distinguished_name = dn
    [ dn ]
    C = US
    ST = UT
    L = Provo
    O = Wind of Keltia
    CN =
    [ req_ext ]
    subjectAltName = @alt_names
    [ alt_names ]
    DNS.1 =
    DNS.2 =
    IP.1 =
    IP.2 =

    Now create another configuration file for the certificate. Then generate the certificate with the self-signed root and other credentials we created before.

    $ vim certificate.conf
    $ openssl x509 -req                      \
                   -sha256                   \
                   -days    365              \
                   -in      server.csr       \
                   -out     server.crt       \
                   -extfile certificate.conf \
                   -CA      root.crt         \
                   -CAkey   root.key         \
    authorityKeyIdentifier = keyid,issuer
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    DNS.1 =
    openssl x509 -req -sha256 -days 365 -in server.csr -out server.crt -extfile certificate.conf -CA root.crt -CAkey root.key -CAcreateserial
    Signature ok
    subject=C = US, ST = UT, L = Provo, O = Wind of Keltia, CN =
    Getting CA Private Key
  4. Distribute the resulting certificate for installation in browsers, operating system filesystems, etc. as needed to enable TLS exchanges and/or avoid security warnings.

  5. At this point, you should have the following artifacts in your test subdirectory:
    $ ls -lart                                                  (show relative order of file creation)
    -rw-------  1 russ russ  1704 Jul 23 08:14 root.key         key in root.crt
    -rw-rw-r--  1 russ russ  1245 Jul 23 08:14 root.crt         certificate by which server.crt is signed
    -rw-------  1 russ russ  1751 Jul 23 08:21 server.key       key in server.crt
    -rw-rw-r--  1 russ russ   345 Jul 23 08:27 csr.conf         (helper)
    -rw-rw-r--  1 russ russ  1115 Jul 23 08:40 server.csr       certificate signing request for generating server.crt
    -rw-rw-r--  1 russ russ   216 Jul 23 08:55 certificate.conf (helper)
    -rw-rw-r--  1 russ russ    41 Jul 23 08:55         (beats me—it just showed up)
    -rw-rw-r--  1 russ russ  1294 Jul 23 08:55 server.crt       certificate to enable SSL in applications!