Create, Sign and Manage Certificate using OpenSSL
OpenSSL is a versatile command line tool that can be used for a variety of cryptographic tasks related to Public Key Infrastructure (PKI) and HTTPS (HTTP over TLS).
This tutorial shows how to use OpenSSL for certificates used for asymmetric encryption in beta and test tasks used for internal or development environments. The associated CSR Certificate Signing Request certificates are not worthwhile for testing purposes issued by a Trusted CA certificate issuer. For this purpose, in an example, the generation of a private key with certificate issuance and its signing.
Create a self-signed certificate
openssl genrsa -out priv.key 4096 openssl req -new -nodes -sha256 -key priv.key -out cert.csr openssl x509 -req -sha256 -days 3650 -in cert.csr -signkey priv.key -out cert.crt
In this example, a private key with a length of 4096 bits is generated, which is valid for 10 years, the X509 Distinguished Key Identifiers are defined, with the encryption of the SHA256 algorithm, finally the certificate is self-signed.
openssl genrsa -out priv.key 4096 Generating RSA private key, 4096 bit long modulus ................................++ ..................................++ e is 65537 (0x010001) PS C:temp> openssl req -new -nodes -sha256 -key priv.key -out cert.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CH State or Province Name (full name) [Some-State]:ZRH Locality Name (eg, city) :ZURICH Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cyber Lab Ltd. Organizational Unit Name (eg, section) :D evOps Root CA Cert Authority Common Name (e.g. server FQDN or YOUR name) :cyber.foo.org Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password :1234 An optional company name :1234
The self-signed certificate generated in this way is used for cryptographic encryption for HTTPS / TLS server and client, code signing, IP End Point Security (SSL-VPN) or for S/MIME e-mail.
The certificate cert.crt is then imported into the certificate store, this to Trusted Root Certification Authorities and to The Own Certificates.
OpenSSL – Open Secure Socket Layer protocol is standard on most Linux distributions, the Windows binaries are available on sourceforge.
XCA – X Certificate Key Management
If you are not familiar with the OpenSSL command line tool, you can use the X Certificate – xca tool, which offers all options in a GUI.
X Certificate and Key Management is an interface for managing asymmetric keys such as RSA or DSA. It is intended for the creation and signing of certificates. The cryptographic operations use the OpenSSL library.
- Start own PKI and create all kinds of certificates, requests or CRLs
- Import and export in any format like PEM, DER, PKCS#7, PKCS#12
- Use them for your IPsec, OpenVPN, HTTPs or any other certificate based setup
- Manage your Smart-Cards via PKCS#11 interface
- Export certificates and requests to an OpenSSL config file
- Create Subject- and/or Extension- templates to ease issuing similar certs
- Convert existing certificates or requests to templates
- Get the broad support of x509v3 extensions as flexible as OpenSSL but user friendlier
- Adapt the Columns to have your important information at a glance
Download at sourceforge
Before keys and certificates can be generated, a database must <Ctrl+N> be created.<Ctrl+N> After generating a private key, a new certificate can be generated. The private keys should be kept password protected. If a private key becomes available for unauthorized ones, the certificate is no longer secure and must be replaced.
Verify key and certificate
Check and output private key
openssl rsa -check -in priv.key
openssl x509 -noout -text -in cert.crt
Certificate Signing Request Check and output
openssl req -text -noout -verify -in cert.csr
Verification of the private key, the CSR and the certificate for authenticity.
openssl rsa -noout -modulus -in priv.key | openssl md5 openssl x509 -noout -modulus -in cert.crt | openssl md5 openssl req -noout -modulus -in cert.csr | openssl md5
If the output of each command is identical, there is a very high probability that the certificate and CSR are related to the private key.
OpenSSL is the versatile Swiss Army Knife that can be used for a variety of cryptographic tasks for asymmetric encryption, from generating a private key with certificate issuance and signing, to verifying authenticity with testing of connectivity.