Proper SSL implementation is crucial to a website’s security and success. And, with so many web owners learning about SSL for the first time, it’s essential to equip them with all the necessary tools and utilities. One such tool is OpenSSL. So, what is OpenSSL, and why is it so important?
The following guide covers every aspect of this useful utility, including how to use OpenSSL and the various OpenSSL commands for easy and efficient SSL management.
Table of Contents
What Is OpenSSL?
OpenSSL is an all-around cryptography library that offers an open-source application of the TLS protocol. It allows users to perform various SSL-related tasks, including CSR (Certificate Signing Request) generation, private keys generation and SSL certificate installation.
What Is OpenSSL Used For?
OpenSSL is an open-source command line tool that is commonly used to generate CSRs and private keys, install the SSL files on your server, merge files, convert your certificate into various SSL formats, verify certificate information and troubleshoot any potential issues.
To install an SSL certificate on your website, you must follow a few mandatory steps, which are the same for any server or email client. OpenSSL is especially handy when you don’t have a web control panel or want to streamline the whole process.
Since not all servers provide web user interfaces for SSL management, on some platforms OpenSSL is the only solution to import and configure your certificate.
How to Use OpenSSL
OpenSSL is all about its command lines. All you have to do is learn a few common OpenSSL commands and, with each new certificate, the configuration process will become quicker and easier.
First released in 1998, OpenSSL is available for Linux, Windows, macOS, and BSD systems. Most of the Linux distributions come with OpenSSL pre-compiled.
How to Check if OpenSSL Is Installed on Linux?
To check if OpenSSL is installed on your Linux system, use the commands below.
For GNU/Linux distributions that use rpm packages:
rpm -qa | grep -i openssl
For GNU/Linux distributions that use deb packages:
dpkg -l | grep -i openssl
For Arch Linux use:
pacman -Q openssl
How to Use OpenSSL on Windows?
If you’re on a Windows system, you can download OpenSSL from here.
The default installation will create a directory for the program on your C drive – C:\OpenSSL-Win32
To run the program, go to the C:\OpenSSL-Win32\bin\ directory and double-click the openssl.exe file. A text window will open with an OpenSSL> prompt.
Enter the OpenSSL commands you need at this prompt. The files you generate will be in this same directory. OpenSSL commands for Windows are identical to those used on Linux servers.
Common OpenSSL Commands
Below we’ve put together a few common OpenSSL commands for regular users. Use them anytime you want to generate or manage your certificates.
Check the OpenSSL Version
It’s imperative to know what OpenSSL version you have as it determines which cryptographic algorithms and protocols you can use. You can check your OpenSSL version by running the following command:
openssl version –a
Generate a CSR with OpenSSL
You can use OpenSSL to create your CSR (Certificate Signing Request) code. Run the following command to generate the CSR:
openssl req -new -key yourdomain.key -out yourdomain.csr
You can also submit your information within the command line itself with help of the –subj switch.
This command will disable the question prompts:
openssl req -new -key yourdomain.key -out yourdomain.csr -subj "/C=US/ST=CA/L=San Francisco/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
Alternatively, you can create CSR via an CSR generator tool.
Generate the Private Key with OpenSSL
To generate your private key, you need to specify the key algorithm, the key size, and an optional passphrase. The standard key algorithm is RSA, but you can also select ECDSA for specific situations. When choosing a key algorithm, make sure you won’t run into compatibility issues. In this article, we only show how to generate a private key via the RSA algorithm.
For your key size, you should pick 2048 bits when using the RSA key algorithm, and 256 bits when using the ECDSA algorithm. Any key size lower than 2048 is not secure, while a higher value may slow down the performance.
Finally, you should decide whether you need a passphrase for your private key or not. Please note that certain servers will not accept private keys with passphrases.
Once you’re ready to generate your private key (with RSA algorithm), run the commands below:
openssl genrsa -out yourdomain.key 2048
This command will create the yourdomain.key file in your current directory. Your private key will be in the PEM format.
View the Private Key Information with OpenSSL
You can view the encoded contents of your private key via the following command:
cat yourdomain.key
Decode the Private Key with OpenSSL
To decode your private key, run the command below:
openssl rsa -text -in yourdomain.key -noout
Extract the Public Key with OpenSSL
To extract your public key from the private key, use the following command:
openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key
Create Your Private Key and CSR at Once with OpenSSL
OpenSSL is so versatile, there’s also a command to generate both your private key and CSR:
openssl req -out yourdomain.csr -new -newkey rsa:2048 -nodes -keyout yourdomain.key
This command generates the private key without a passphrase (-keyout yourdomain.key) and the CSR code (out yourdomain.csr).
Check the CSR Info with OpenSSL
To ensure you’ve provided the correct information before submitting the CSR to your CA, run the command below:
openssl req -text -in yourdomain.csr -noout –verify
Send the CSR to the CA
Run the following command to view and copy the entire contents of the CSR:
cat yourdomain.csr
Make sure you include —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST— tags, and paste everything into your SSL vendor’s order form.
Check a Certificate in OpenSSL
After your CA delivers the SSL certificate to your inbox, run the command below to ensure that the certificate’s info matches your private key.
openssl x509 -text -in yourdomain.crt –noout
This concludes our list of common OpenSSL commands. If you want, you can study all the OpenSSL commands.
Bottom Line
Now that you know what is OpenSSL and how it works, you can use its commands to generate, manage and install SSL certificates on various servers. Using OpenSSL is, sometimes, the only option when you don’t have a web hosting panel.
It may take a while before you get comfortable with OpenSSL commands, but the more you use them, the better SSL certificate management becomes.
If you’re looking for more information on what OpenSSL is and how it works, this free book is an excellent resource.
Frequently Asked Questions
SSL/TLS is a cryptographic protocol that encrypts communications between two computer applications over a network.
On the other hand, OpenSSL is a cryptographic utility that uses command lines to manage the generation, installation, and identification of SSL/TLS certificates.
Copy Link
Yes, OpenSSL is free to use for commercial and non-commercial purposes.
Copy Link
Save 10% on SSL Certificates when ordering today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
