OpenSSL

About

OpenSSL is an open-source command line tool that is commonly used to generate private keys, create CSRs, install your SSL/TLS certificate, and identify certificate information.

OpenSSL is usually included in most Linux distributions. On Windows it is a bit trickier as you need to install a pre-compiled binary to get started.

Version and Info

Run the following command to get the version and other information about the OpenSSL app:

openssl version -a

The output looks something like this:

LibreSSL 2.8.3
built on: date not available
platform: information not available
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"

In the output, the OPENSSLDIR value is the directory where OpenSSL will read configurations and local settings from.

Uses

There are many different reasons to use OpenSSL, the most common are:

Generating a self-signed certificate

A common server operation is to generate a self-signed certificate. There are many reasons for doing this such as local testing or encrypting communications between internal servers.

Generate the private key and the x.509 cert

  • Open Terminal.
  • Navigate (change directory) to the directory in your project where you will store the generated public key and cert files.
  • Generate the files using OpenSSL with the following command:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout private.key -out certificate.crt
Key Value Description
req Command passed to OpenSSL intended for creating and processing certificate requests usually in the PKCS#10 format.
-x509 This multipurpose command allows OpenSSL to sign the certificate somewhat like a certificate authority. X.509 refers to a digitally signed document according to RFC 5280.
-sha256 When encrypting the certificate use a SHA 256 hash.
-nodes This command is for no DES, which means that the private key will not be password protected.
-days 365 The number of days that the certificate will be valid.
-newkey rsa:4096 The format of the key, in this case an RSA key with 4096 bit encryption.
-keyout private.key The name and location to output the private key file.
-out certificate.crt The name and location to output the certificate file.

The command will instantly generate a private.key file. You will then be asked a series of questions, after which a certificate.crt file will be generated:

Generating a 4096 bit RSA private key
.....................++
.....................................................++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:01
State or Province Name (full name) []:.
Locality Name (eg, city) []:.
Organization Name (eg, company) []:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, fully qualified host name) []:mydomainname.com
Email Address []:.

Test the cert file

Once the certificate has been generated, we should verify that it is correct according to the parameters that we have set.

openssl x509 -in certificate.crt -text -noout
Key Value Description
-x509 This is a multipurpose command, and when combined with the other parameters here, it is for retrieving information about the given the certificate.
-in certificate.crt The certificate that we are verifying.
-text Strips the text headers from the output.
-noout No need to output the encoded version of the certificate.

The test should return something like this:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 10077740461970821292 (0x8bdb538e565a10ac)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=01, CN=appdocs
        Validity
            Not Before: Sep 24 21:40:20 2020 GMT
            Not After : Sep 24 21:40:20 2021 GMT
        Subject: C=01, CN=appdocs
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:bc:39:f8:68:fc:33:8b:f4:97:e8:1c:9f:4c:93:
                    40:38:98:cd:1d:12:2a:c5:ad:6a:38:1d:ad:57:04:
                    63:ca:b3:ba:8d:a6:cf:93:46:27:dd:c7:ed:c0:eb:
                    05:4c:56:f3:e3:da:de:73:9c:6e:f0:85:a3:a8:18:
                    7a:e9:68:d7:16:69:ac:46:9f:f9:9a:84:94:d7:be:
                    81:12:5d:3c:67:5e:ae:4a:2b:9e:e5:09:60:c3:01:
                    a3:65:11:e2:2b:97:c4:3b:f2:d0:58:f5:56:c9:12:
                    35:36:4f:19:83:1c:f7:e3:4b:7f:29:db:ee:b9:5a:
                    2c:17:6e:71:41:78:74:e0:76:ca:16:71:ad:bf:e3:
                    6f:c1:30:fb:45:37:a2:80:a9:0a:b1:ac:96:3e:5a:
                    51:e6:31:cb:b5:64:41:38:97:d0:de:60:ff:d8:6c:
                    00:ad:4b:ae:2d:66:69:28:3d:77:f4:d7:56:83:89:
                    fb:db:0f:ed:96:d8:2c:d8:d6:72:e2:7e:14:0c:19:
                    76:b6:1e:ce:c2:c3:c7:9c:35:63:ea:98:ef:89:7d:
                    ea:04:ca:79:46:89:84:23:32:76:46:b7:e4:a9:9f:
                    a1:31:01:f7:32:4f:fc:7e:28:18:52:72:fc:0f:c7:
                    5b:1f:ba:ca:cf:bc:d3:d9:de:3b:b5:53:ef:41:cf:
                    81:6c:f8:63:93:10:aa:41:03:2c:8c:ea:80:cf:3d:
                    fd:38:d0:3a:97:e2:ab:cf:77:99:dc:20:50:6a:f2:
                    f9:3d:a5:da:5b:86:dc:fa:7c:52:f9:1f:71:93:36:
                    ab:3c:da:a0:4b:18:ac:5e:f4:df:51:37:79:90:47:
                    d7:c9:f8:a8:0d:9c:91:3c:90:5f:cf:6a:55:15:58:
                    3a:f4:ae:aa:f6:ee:c9:aa:c9:41:f8:77:07:d5:29:
                    f0:23:c6:db:d1:54:75:22:a6:b6:eb:d5:3d:59:51:
                    d9:2e:f7:ea:36:9b:f3:ff:f2:18:14:b3:9d:46:8e:
                    a4:21:11:3e:c6:96:37:03:ea:38:85:39:dd:00:68:
                    b6:1b:c4:e4:11:ce:51:43:0e:ca:8c:a5:e1:73:b9:
                    6f:98:b4:35:d0:83:e2:1b:73:06:f5:9c:e8:41:0c:
                    b6:97:7a:3b:da:bd:ce:bf:ab:d3:ea:f8:61:7f:54:
                    d1:21:d6:4e:22:74:29:10:b0:65:06:4e:44:47:c0:
                    be:0d:67:50:b6:e8:a5:18:bf:30:0b:78:fc:7e:3d:
                    3a:7b:2e:5e:62:7e:04:2c:44:50:9d:23:f1:51:51:
                    c7:6c:43:70:99:fa:07:c2:7c:57:d1:8e:09:e2:c4:
                    43:98:b7:82:bf:06:7a:ac:8a:45:a5:b1:5e:36:e0:
                    45:68:85
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         92:3a:03:1f:e1:72:05:31:25:78:e4:a9:7e:2f:f3:75:a5:5a:
         d2:0d:1a:bb:df:f1:7b:c3:23:28:3e:16:73:13:66:e0:8d:54:
         58:73:4f:f0:a7:3d:41:67:d4:c1:85:71:5b:dd:14:3f:e7:c5:
         01:5d:52:ee:20:d4:b4:08:04:71:9e:49:4d:43:30:4f:30:98:
         6e:19:eb:1b:3d:bc:7b:00:0c:78:a9:72:c7:eb:d8:f4:0f:5b:
         c6:5a:64:3c:c1:8e:5b:62:76:81:fc:84:1b:69:62:5b:39:36:
         cf:a9:fc:47:90:a3:e2:08:3e:29:fc:42:61:17:f5:34:49:f5:
         a3:de:4c:e2:c8:4b:e2:b0:ec:2f:70:81:87:08:9d:b7:0b:07:
         bf:df:1a:3d:b4:c4:c6:80:b2:a4:b8:98:df:ca:e9:ca:fc:6b:
         68:6e:0b:04:3d:99:98:c3:33:e0:14:de:94:e1:b7:f2:fa:2b:
         2d:28:a5:72:50:99:05:a0:48:71:2d:0c:98:63:a7:dc:46:f5:
         a6:bc:48:aa:f3:a4:ef:61:57:6a:be:96:c8:e1:a2:8b:d1:47:
         c7:16:12:69:a9:84:d1:dd:aa:35:80:a7:c8:70:19:08:bd:9f:
         e3:83:2e:4d:19:c1:72:51:07:5a:db:5b:b7:6b:0e:c7:a2:08:
         00:4c:e7:63:1e:83:a1:08:41:eb:ed:b0:a0:c3:ab:39:f7:cd:
         ca:b2:e6:90:ca:28:be:0b:3b:ee:87:9b:df:18:57:e6:e7:25:
         7c:4e:01:6e:82:df:35:81:8e:4c:d6:e7:ca:44:1d:4c:db:3f:
         55:85:a2:89:b2:de:76:c2:84:10:a8:c3:8b:ac:0a:76:68:e4:
         75:06:48:a7:e2:ce:0b:2a:bf:d3:77:bf:e7:85:95:02:b1:dd:
         d9:98:a4:51:f9:79:47:6c:58:35:1e:30:4c:f1:d4:17:f2:d4:
         4e:6f:b3:ea:ba:22:c0:88:d3:c4:03:de:b6:de:02:35:0a:d0:
         15:4b:c9:ab:da:4a:b1:13:e8:ba:62:db:9c:4f:4d:22:4d:f3:
         66:2e:a2:d9:b6:1d:92:d0:b8:f0:22:9a:87:c3:23:28:ba:8e:
         5a:eb:e1:6a:8e:1e:db:ed:14:dc:ca:a6:27:e7:0b:a4:2f:c9:
         af:71:80:3a:34:d2:ce:40:70:e5:05:11:10:39:e0:69:5d:67:
         e4:6b:a6:01:9c:6c:9d:ac:29:18:7f:43:91:6d:be:03:ef:0e:
         fa:7a:fc:64:7e:3c:59:48:81:fe:8a:89:ff:c8:15:89:6b:14:
         71:3a:86:f8:d3:78:0d:c2:08:15:d0:2d:1d:91:8f:6a:55:4d:
         9f:23:af:95:36:12:fa:e3

That is it. Now the self-signed certificate can be installed on a local web host!

More Resources