SSL certificates are high demand now. The encryption landscape has changed dramatically since Google launched the “HTTPS Everywhere” campaign. First, they gave an SEO boost as an incentive to install digital certificates, and later, Chrome made HTTPS all but mandatory for everyone. If you don’t use an SSL certificate, popular browsers such as Chrome and Firefox will mark your site as Not Secure.
Proper SSL implementation is crucial to a website’s security and success. And, with so many web owners learning about SSL for the first time, it’s important to equip them with all the necessary tools and utilities. One such tool is OpenSSL.
What is OpenSSL?
Open SSL is an all-around cryptography library that offers open-source application of the TLS protocol. First released in 1998, it is available for Linux, Windows, macOS, and BSD systems. OpenSSL allows users to perform various SSL related tasks, including CSR (Certificate Signing Request) and private keys generation and SSL certificate installation.
Most of the Linux distributions come with OpenSSL pre-compiled, but if you’re on a Windows system, you can get it from here.
Why do you need OpenSSL?
With OpenSSL, you can apply for your digital certificate (Generate the Certificate Signing Request) and install the SSL files on your server. You can also convert your certificate into various SSL formats, as well as do all kind of verifications. More on them in another chapter. All you have to do is learn a few common OpenSSL commands and, with each new certificate, the configuration process will become quicker and easier. Since not all servers provide web user interfaces for SSL management, on some platforms OpenSSL is the only solution to import and configure your certificate.
How to use OpenSSL?
OpenSSL is all about its command lines. Below we’ve put together a few common OpenSSL commands for regular users. If you want to study all the commands, please go to this page.
Check your OpenSSL version
It’s imperative to know what OpenSSL version you have as it determines which cryptographic algorithms and protocols you can use. The latest OpenSSL release at the time of writing this article is 1.1.1. It’s the first version to support the TLS 1.3 protocol. Previous releases still receiving support are 1.0.2 and 1.1.0.
You can check your OpenSSL version by running the following command:
openssl version –a
You can use OpenSSL to create your CSR code. CSR is a block of encoded text with data about your website and company. You must submit the CSR to your Certificate Authority for approval. The certificate request requires a private key from which the public key is created. While you can use an existing key, it’s recommended to always generate a new private key whenever you create a CSR.
Generate your private key separately
To generate your private key, you need to specify the key algorithm, the key size, and an optional passphrase. The standard key algorithm is RSA, but you can also select ECDSA for specific situations. When choosing a key algorithm, make sure you won’t run into compatibility issues. In this article, we only show how to generate a private key via the RSA algorithm.
For your key size, you should pick 2048 bit when using the RSA key algorithm, and 256 bit when using the ECDSA algorithm. Any key size lower than 2048 is not secure, while a higher value may slow down the performance.
Finally, you should decide whether you need a passphrase for your private key or not. Please note, that certain servers will not accept private keys with passphrases.
Once you’re ready to generate your private key (with RSA algorithm), run the commands below:
openssl genrsa -out yourdomain.key 2048
This command will create the yourdomain.key file in your current directory. Your private key will be in the PEM format.
You can view the encoded contents of your private key via the following command:
To decode your private key, runt the command below:
openssl rsa -text -in yourdomain.key -noout
Extract your public key
To extract your public key from the private key, use the following command:
openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key
Create the Certificate Signing Request
After you’ve successfully generated the private key, it’s time to create your CSR. It will be in PEM format and include details about your company, as well as the public key derived from your private key. Run the following command to generate the CSR:
openssl req -new -key yourdomain.key -out yourdomain.csr
OpenSSL will prompt you to answer a few questions. Use the example below:
- Country Name (2 letter code): enter the two-letter code of your country. If you have a Business Validation or Extended Validation certificate, make sure the country you submit, is the official residence of your organization
- State or Province Name: type the full name of the state or region where your company is registered
- Locality Name: specify the name of the city or town where your business is located
- Organization Name: enter the officially registered name of your company. For instance, GPI Holding LLC. For Domain Validation certificates, you can put in NA instead
- Organization Unit Name: it’s usually IT or Web Administration. You can sue NA for DV certificates
- Common Name: specify the Fully Qualified Domain Name (FQDN) to which you want to assign your SSL certificate. For example, ssldragon.com. If you want to activate a wildcard certificate, add an asterisk in front of your domain name (e.g. *.ssldragon.com)
- Email Address: provide a valid email address
Note: Next attributes are optional. If you don’t want to fill them in input a dot (.) to leave them blank.
- A challenge password: this is an outdated attribute, no longer required by the Certificate Authorities. To avoid any confusion, leave this field blank
- An Optional Company Name: If your official company name is too long or complex, you can enter a shorter name or your brand name here. Again, to avoid confusion, better ignore this field.
-subj Switch- an alternative way to generate the CSR code
You can also submit your information within the command line itself with help of the –subj switch.
This command will disable the question prompts:
openssl req -new -key yourdomain.key -out yourdomain.csr \ -subj "/C=US/ST=CA/L=San Francisco/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
Create your private key and CSR at once
OpenSSL is so versatile, there’s also a command to generate both your private key and CSR.
openssl req -new \
-newkey rsa:2048 -nodes -keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=CA/L=San Francisco/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
This command generates the private key without a passphrase (-keyout yourdomain.key) and the CSR code (out yourdomain.csr).
Check your CSR info
To ensure you’ve provided the correct information before submitting the CSR to your CA, run the command below:
openssl req -text -in yourdomain.csr -noout –verify
Send the CSR to the CA
Run the cat yourdomain.csr command to view and copy the entire contents of the CSR. Make sure you include —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST— tags, and paste everything into your SSL vendor’s order form.
Verify your certificate’s details
After your CA delivers the SSL certificate to your inbox run the command below to ensure that the certificate’s info matches your private key.
openssl x509 -text -in yourdomain.crt –noout
This concludes our list of common OpenSSL commands. If you’re looking for more information on what is OpenSSL and how it works, this free book is an excellent resource.