Proper SSL implementation is crucial to a website’s security and success. And, with so many web owners learning about SSL for the first time, it’s essential to equip them with all the necessary tools and utilities. One such tool is OpenSSL. So, what is OpenSSL, and why is it so important?
The following guide covers every aspect of this useful utility, including how to use OpenSSL and the various OpenSSL commands for easy and efficient SSL management.
Table of Contents
- What is OpenSSL?
- How to use the OpenSSL commands on Windows and Linux?
- OpenSSL command line examples
- Conclusion
- Frequently Asked Questions
What is OpenSSL?
OpenSSL is an all-around cryptography library that offers an open-source application of the TLS protocol. It allows users to perform various SSL-related tasks, including CSR (Certificate Signing Request) and private keys generation, and SSL certificate installation.
What is OpenSSL used for?
SSL certificates are in high demand now. The encryption landscape has changed dramatically since Google launched the “HTTPS Everywhere” campaign.
First, they gave an SEO boost as an incentive to install digital certificates, and later, Chrome made HTTPS all but mandatory for everyone. If you don’t use an SSL certificate, popular browsers such as Chrome and Firefox will mark your site as Not Secure.
With OpenSSL, you can apply for your digital certificate (Generate the Certificate Signing Request) and install the SSL files on your server. You can also convert your certificate into various SSL formats, as well as do all kinds of verifications.
Since not all servers provide web user interfaces for SSL management, on some platforms OpenSSL is the only solution to import and configure your certificate. Open SSL commands for Windows are identical to those used on Linux servers.
How to use the OpenSSL commands on Windows and Linux?
OpenSSL is all about its command lines. All you have to do is learn a few common OpenSSL commands and, with each new certificate, the configuration process will become quicker and
easier.
How to check if OpenSSL is installed on Linux?
To check if OpenSSL is installed on your Linux system, use the commands below:
For GNU/Linux distributions that use rpm packages:
rpm -qa | grep -i openssl
For GNU/Linux distributions that use deb packages:
dpkg -l | grep -i openssl
For Arch Linux use:
pacman -Q openssl
How to use OpenSSL on Windows?
The default installation will create a directory for the program on your C:\ drive. For example C:\OpenSSL-Win32
To run the program, go to the C:\OpenSSL-Win32\bin directory and double-click the file openssl.exe. A text window will open with an OpenSSL> prompt.
Enter the OpenSSL for Windows you need at this prompt. The files you generate will be in this same directory.
How to download OpenSSL for Windows?
First released in 1998, it is available for Linux, Windows, macOS, and BSD systems. Most of the Linux distributions come with OpenSSL pre-compiled, but if you’re on a Windows system, you can download OpenSSL from here.
OpenSSL command line examples
Below we’ve put together a few common OpenSSL commands for regular users. Use them anytime you want to generate or manage your certificates.
How to check the OpenSSL version?
It’s imperative to know what OpenSSL version you have as it determines which cryptographic algorithms and protocols you can use. The latest OpenSSL release is 3.0.0. It supports the TLS 1.3 protocol and restores FIPS 140 support.
You can check your OpenSSL version by running the following command:
openssl version –a
How to use OpenSSL to generate a certificate?
To install an SSL certificate on your website, you must follow a few mandatory steps, which are the same for any server or email client. OpenSSL is especially handy when you don’t have a web control panel or want to streamline the whole process. With just a few OpenSSL commands, you can generate the Certificate Signing Request and the private key, merge files, verify certificate information, and troubleshoot any potential issues.
Learn the commands below, and you’ll know how to manage SSL certs on almost any server, be it mainstream or fully customized.
How to generate a CSR with OpenSSL?
You can use OpenSSL to create your CSR code. CSR is a block of encoded text with data about your website and company. You must submit the CSR to your Certificate Authority for approval. Alternatively, you can create CSR via another external CSR generator tool.
The certificate request requires a private key from which the public key is created. While you can use an existing key, it’s recommended to always generate a new private key whenever you create a CSR.
After you’ve successfully generated the private key, it’s time to create your CSR. It will be in PEM format and include details about your company, as well as the public key derived from your private key.
Run the following command to generate the CSR:
openssl req -new -key yourdomain.key -out yourdomain.csr
–subj Switch – an alternative way to generate the CSR code
You can also submit your information within the command line itself with help of the –subj switch.
This command will disable the question prompts:
openssl req -new -key yourdomain.key -out yourdomain.csr \ -subj "/C=US/ST=CA/L=San Francisco/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
How to Generate the private key with OpenSSL?
To generate your private key, you need to specify the key algorithm, the key size, and an optional passphrase. The standard key algorithm is RSA, but you can also select ECDSA for specific situations. When choosing a key algorithm, make sure you won’t run into compatibility issues. In this article, we only show how to generate a private key via the RSA algorithm.
For your key size, you should pick 2048 bits when using the RSA key algorithm, and 256 bits when using the ECDSA algorithm. Any key size lower than 2048 is not secure, while a higher value may slow down the performance.
Finally, you should decide whether you need a passphrase for your private key or not. Please note that certain servers will not accept private keys with passphrases.
Once you’re ready to generate your private key (with RSA algorithm), run the commands below:
openssl genrsa -out yourdomain.key 2048
This command will create the yourdomain.key file in your current directory. Your private key will be in the PEM format.
How to view the private key information with OpenSSL?
You can view the encoded contents of your private key via the following command:
cat yourdomain.key
How to decode the private key with OpenSSL?
To decode your private key, run the command below:
openssl rsa -text -in yourdomain.key -noout
How to extract the public key with OpenSSL?
To extract your public key from the private key, use the following command:
openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key
How to create your private key and CSR at once with OpenSSL?
OpenSSL is so versatile, there’s also a command to generate both your private key and CSR.
openssl req -new \
-newkey rsa:2048 -nodes -keyout yourdomain.key \
i>-out yourdomain.csr \
-subj "/C=US/ST=CA/L=San Francisco/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
This command generates the private key without a passphrase (-keyout yourdomain.key) and the CSR code (out yourdomain.csr).
How to check the CSR info with OpenSSL?
To ensure you’ve provided the correct information before submitting the CSR to your CA, run the command below:
openssl req -text -in yourdomain.csr -noout –verify
How to send the CSR to the CA?
Run the cat yourdomain.csr command to view and copy the entire contents of the CSR.
Make sure you include —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST— tags, and paste everything into your SSL vendor’s order form.
How to check a certificate in OpenSSL?
After your CA delivers the SSL certificate to your inbox, run the command below to ensure that the certificate’s info matches your private key.
openssl x509 -text -in yourdomain.crt –noout
This concludes our list of common OpenSSL commands. If you want, you can study all the OpenSSL commands. If you’re looking for more information on what OpenSSL is and how it works, this free book is an excellent resource.
Frequently Asked Questions
1. What does OpenSSL do?
OpenSSL is a free and open-source command line tool used to generate CSRs, create private keys, install an SSL certificate, and verify certificate information. OpenSSL is compatible with both Windows and Linux distributions.
2. Who uses OpenSSL?
Anyone can use OpenSSL to manage SSL certificate installations. Using OpenSSL on Windows and Linux is a quick and efficient way to encrypt websites. Both seasoned developers and novice admins benefit from OpenSSL command lines.
3. Where is OpenSSL installed?
By default, the OpenSSL directory is /usr/local/ssl for Linux distributions and C:\OpenSSL-Win32 for Windows.
4. What is the difference between SSL and OpenSSL?
SSL stands for Secure Sockets Layer, a now-deprecated cryptographic protocol that encrypts communications between two computer applications over a network. When we refer to SSL certificates, they’re actually TLS (Transport Layer Security) certificates, with TLS being the successor of SSL. Learn more about the difference between SSL and TLS.
On the other hand, OpenSSL is a cryptographic utility that uses command lines to manage the generation, installation, and identification of SSL/TLS certificates
5. Is OpenSSL a Linux command?
OpenSSL commands are universally used on both Linux and Windows systems.
6. Is OpenSSL free to use?
Yes, OpenSSL is free to use for commercial and non-commercial purposes.
7. What is OpenSSL for Windows?
OpenSSL is a cryptographic utility that facilitates SSL certificate management. With OpenSSL command lines, you can perform a wide range of actions, including CSR generation, private key creation, certificate inspection, and many more.
8. How to open OpenSSL in Windows?
Once you’ve installed OpenSSL on Windows, double-click the Openssl.exe file to run it.
Conclusion
Now that you know what is OpenSSL and how it works, you can use its commands to generate, install and manage SSL certificates on various servers. Using OpenSSL is, sometimes, the only option when you don’t have a web hosting panel. It may take a while before you get comfortable with OpenSSL commands, but the more you use them, the better SSL certificate management becomes.
