Working with SSL Certificate

SSL stands for Secure Sockets Layer which can be defined as a standard security protocol for establishing encrypted links between a web server and a browser so that user’s data privacy is respected and nobody is spying in the middle which is very crucial in the day and age especially after snowden revelation.

Openssl tool set can be used as a arsenal for carrying out almost every task you can think of related to ssl certificate. This guide defines the method of Certificate Signing Requests (CSRs) and generating the self signed certificate and finally converting the ssl certificate in the required format.

Certicificate Signing Requests (CSR)

In order to get hands on SSL certificate from a certified CA(Certificate Authority), you must generate a Certicificate Signing Request(CSR).

The CSR will have the following information:

  • Country Name (2 letter code)
  • State or Provice Name (full name)
  • Locality Name
  • Organization Name
  • Organization Unit Name
  • Common Name (i.e. Fully Qualified Domain Name)
  • Email Address

The Fully Qualified Domain Name(FQDN) server as the distinguished name and should be bought by the organization from the rquired authority. It may be contain wildcard like * thus all the subdomain of the can use the same ssl key.

The following command is used the generate CSR.

openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

where, domain.key is 2048-bit private key and domain.csr is the Certificate signing request. Example interaction encountered

Country Name (2 letter code) [AU]:NP
State or Province Name (full name) [Some-State]:State 3
Locality Name (eg, city) []:Kathmandu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:maharjansujit
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []
Email Address [] 

Generating a CSR from an Existing Certificate and Private Key

If you already have a private certificate you can use the following command.

openssl x509 -in domain.crt -signkey domain.key -x509toreq -out domain.csr

You will send the csr file to the required authority so that they can sign the given key.

Generating self-signed Certificate

You can use the following command to generate the self-signed key.

openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt

where domain.key is the private key, domain.crt is the public key.

Generating self-singed Certificate from existing private key

openssl req -key domain.key -new -x509 -days 365 -out domain.crt

where domain.key is the existing private key and domain.crt is the self-signed certificate.

Generate self-signed Certificate from existing private key and CSR

openssl x509 -signkey domain.key -in domain.csr -in domain.csr -req -days 365 -out domain.crt

Viewing Certificates

The openssl files generated are encoded in PEM format, which is not readily human-readable.

View CSR Entries

openssl req -text -nout --verify -in domain.csr

where doamin.csr is the existing csr file you intend to read.

View Certificate Entries

openssl verify -verbose -CAFile ca.crt domain.crt

Convert Certificate Formats

All the above command generates X.509 certificates that are ASCII PEM encoded. If you need the certificate in other format you can convert them using the following commands.


openssl x509 -in domain,crt -outform der -out domain.der

where domain.crt is the certificate file in PEM format and domain.der is the file in DER

Convert DER to PEM

openssl x509 -inform der -in domain.der -out domain.crt

where domain.crt is the certificate file in PEM format and domain.der is the file in DER

comments powered by Disqus