SSL certificates are in high demand now. The encryption landscape has changed dramatically since Google launched the “HTTPS Everywhere” campaign. First, they gave an SEO boost as an incentive to install digital certificates, and later, Chrome made HTTPS all but mandatory for everyone. If you don’t use an SSL certificate, popular browsers such as Chrome and Firefox will mark your site as Not Secure.

Proper SSL implementation is crucial to a website’s security and success. And, with so many web owners learning about SSL for the first time, it’s important to equip them with all the necessary tools and utilities. One such tool is OpenSSL.

What is OpenSSL?

Open SSL is an all-around cryptography library that offers an open-source application of the TLS protocol. First released in 1998, it is available for Linux, Windows, macOS, and BSD systems. OpenSSL allows users to perform various SSL-related tasks, including CSR (Certificate Signing Request) and private keys generation, and SSL certificate installation.

Most of the Linux distributions come with OpenSSL pre-compiled, but if you’re on a Windows system, you can get it from here.

Why do you need OpenSSL?

With OpenSSL, you can apply for your digital certificate (Generate the Certificate Signing Request) and install the SSL files on your server. You can also convert your certificate into various SSL formats, as well as do all kinds of verifications. More on them in another chapter.

All you have to do is learn a few common OpenSSL commands and, with each new certificate, the configuration process will become quicker and easier. Since not all servers provide web user interfaces for SSL management, on some platforms OpenSSL is the only solution to import and configure your certificate. 

How to use OpenSSL?

OpenSSL is all about its command lines. Below we’ve put together a few common OpenSSL commands for regular users. If you want to study all the commands, please go to this page.

Check your OpenSSL version

It’s imperative to know what OpenSSL version you have as it determines which cryptographic algorithms and protocols you can use. The latest OpenSSL release is 3.0.0. It supports the TLS 1.3 protocol and restores FIPS 140 support.

You can check your OpenSSL version by running the following command: 

openssl version –a

CSR Generation

You can use OpenSSL to create your CSR code. CSR is a block of encoded text with data about your website and company. You must submit the CSR to your Certificate Authority for approval.

The certificate request requires a private key from which the public key is created. While you can use an existing key, it’s recommended to always generate a new private key whenever you create a CSR.

After you’ve successfully generated the private key, it’s time to create your CSR. It will be in PEM format and include details about your company, as well as the public key derived from your private key. Run the following command to generate the CSR:

openssl req -new -key yourdomain.key -out yourdomain.csr

-subj Switch- an alternative way to generate the CSR code

You can also submit your information within the command line itself with help of the –subj switch.

This command will disable the question prompts:

openssl req -new -key yourdomain.key -out yourdomain.csr \ -subj "/C=US/ST=CA/L=San Francisco/O=Your Company, Inc./OU=IT/CN=yourdomain.com"

Generate your private key separately

To generate your private key, you need to specify the key algorithm, the key size, and an optional passphrase. The standard key algorithm is RSA, but you can also select ECDSA for specific situations. When choosing a key algorithm, make sure you won’t run into compatibility issues. In this article, we only show how to generate a private key via the RSA algorithm. 

For your key size, you should pick 2048 bits when using the RSA key algorithm, and 256 bits when using the ECDSA algorithm. Any key size lower than 2048 is not secure, while a higher value may slow down the performance. 

Finally, you should decide whether you need a passphrase for your private key or not. Please note, that certain servers will not accept private keys with passphrases.

Once you’re ready to generate your private key (with RSA algorithm), run the commands below:

openssl genrsa -out yourdomain.key 2048

This command will create the yourdomain.key file in your current directory. Your private key will be in the PEM format.

You can view the encoded contents of your private key via the following command:

cat yourdomain.key

To decode your private key, run the command below:

openssl rsa -text -in yourdomain.key -noout

Extract your public key

To extract your public key from the private key, use the following command: 

openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key

Create your private key and CSR at once

OpenSSL is so versatile, there’s also a command to generate both your private key and CSR. 

openssl req -new \
-newkey rsa:2048 -nodes -keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=CA/L=San Francisco/O=Your Company, Inc./OU=IT/CN=yourdomain.com"

This command generates the private key without a passphrase (-keyout yourdomain.key) and the CSR code (out yourdomain.csr).

Check your CSR info

To ensure you’ve provided the correct information before submitting the CSR to your CA, run the command below:

openssl req -text -in yourdomain.csr -noout –verify

Send the CSR to the CA

Run the cat yourdomain.csr command to view and copy the entire contents of the CSR. Make sure you include —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST— tags, and paste everything into your SSL vendor’s order form.

Verify your certificate’s details

After your CA delivers the SSL certificate to your inbox run the command below to ensure that the certificate’s info matches your private key.

openssl x509 -text -in yourdomain.crt –noout

This concludes our list of common OpenSSL commands. If you’re looking for more information on what is OpenSSL and how it works, this free book is an excellent resource.

Last updated on September 16, 2022.