Creating certificates using the OpenSSL tool

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL), and Transport Layer Security (TLS) network protocols and related cryptography standards required by them. The openssl program is a command line tool that provides a rich variety of commands with elaborate options and arguments. The following section lists and explains the openssl commands used for the certificate creation and signing.

To generate a self-signed certificate

1. Generate a certificate by running the following command:

   openssl genrsa -out ca.key 2048

2. Remove the passphrase from the key pair by running the following command:

   openssl rsa -in ca.key -out ca.key

3. Generate a CSR cerficate by running the following command:

   openssl req -x509 -new -key ca.key -out ca.csr -config "[openSSL folder path]\openssl.cnf"

4. Create a self-signed certificate in x509 format by running the following command:

   openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX

   In cryptography, X.509 is an important standard for a public key infrastructure (PKI) to manage digital certificates and public-key encryption and a key part of the TLS protocol used to secure web and email communication.

   • -x509 : This option generates a self-signed certificate in x509 format.
   • -newkey arg: This option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key which is nbits in size.
   • -keyout filename: The newly created private key is written to to the filename indicated in this option.
   • -out filename: This specifies the output filename to write to or standard output by default.
   • -days n: When the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.

Related topics