Skip to Content

Creating certificates by using the OpenSSL tool

OpenSSL is a cryptography toolkit that implements the SSL/TLS network protocols, along with related cryptography standards. The openssl command-line tool provides a range of commands and options for creating and managing digital certificates. OpenSSL is used for the following:

  • Encrypting data sent over a network
  • Generating private keys, public keys, and SSL/TLS certificates
  • Creating digital signatures
  • Running secure servers and clients (for example, HTTPS, FTPS, SMTPS)

To generate a self-signed certificate

  1. Generate a private key by running the following command:

    openssl genrsa -out ca.key 2048

  2. Remove the passphrase from the key pair:

    openssl rsa -in ca.key -out ca.key

  3. Generate a certificate signing request (CSR):

    openssl req -x509 -new -key ca.key -out ca.csr -config "[openSSL folder path]\openssl.cnf"

  4. Create a self-signed certificate in X.509 :

    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX

    Info

    In cryptography, X.509 is an important standard for public key infrastructure (PKI) used to manage digital certificates and secure web and email communication, forming a key part of the TLS protocol. The following commands and argumnets are ysed when creating a certificate with OpenSSL:

    • x509 — Generates a self-signed certificate in X.509 format.
    • newkey arg — Creates a new certificate request and a private key. 
    • rsa:nbits — Generates an RSA key with a bits size specified in nbits.
    • keyout filename — Creates a new private key to the specific filename.
    • out filename — Specifies the file where the output (such as the certificate) will be written. If not specified, output goes to standard output.
    • days n — Sets the number of days the certificate will be valid. The default is 30 days.

To generate a server certificate

  1. Generate a private key:

    openssl genrsa -out serv.key 2048

  2. Generate a CSR certificate:

    openssl req -new -key serv.key -out serv.csr -config "[openSSL folder path]\openssl.cnf"

  3. Generate a signed server certificate:

    openssl x509 -req -days 730 -in serv.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out serv.crt -extensions v3_req -extfile "[openSSL folder path]\openssl.cnf"

To generate a client certificate

  1. Generate a private key :

    openssl genrsa -out cli.key 2048

  2. Generate a CSR certificate:

    openssl req -new -key cli.key -out cli.csr -config "[openSSL folder path]\openssl.cnf"

  3. Generate a signed client certificate:

    openssl x509 -req -days 730 -in cli.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out cli.crt -extensions v3_req -extfile "[openSSL folder path]\openssl.cnf"

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Single Sign-On 26.1