How to use OpenSSL to manage SSL/TLS certificates

Learn hwo to use OpenSSL with this complete tutorial.

Share This Post

Have you ever heard about SSL Certificates? If not, you have used them for sure. In fact, in July 2018 Google started to consider HTTP sites as non-secure. Since the 24th of July 2018, Google threw warnings to users visiting HTTP sites in Google Chrome. As a result, now all sites have a tiny green lock near their URL. Well, that lock simply means the website has an SSL certificate to secure the connection. And that’s when OpenSSL enters the picture. OpenSSL is a powerful toolkit to create and manage certificates. In this post, we will see how to use OpenSSL to create our first certificate.

HTTPS Lock, we will see how to get one with OpenSSL by learning how to use OpenSSL.
The green lock is a requirement for any modern website.

How to use OpenSSL

Installing OpenSSL on Windows

Before we start working on how to use OpenSSL, we need to install it first. Doing so is very simple, even on Windows. First, we need to download the OpenSSL binaries, and we can do that from the OpenSSL wiki. Or, take this direct download. In both cases, you will download an executable file you need to run. This is a simple visual setup that you can finish by Next-Next. However, you need to remember the folder where you install OpenSSL.

Once you finished with the install, we need to add OpenSSL to our PATH environment variable. While not required, this is very helpful in day-to-day work. By doing so, you can access OpenSSL from anyplace in your command prompt.  Open the start and search for Edit the system Environment Variables, then a dialog will appear. In it, click on Environment Variables, select Path from the list on top, and click “Edit”. Now, click New on the right and write in the new text row that appears the path to your OpenSSL bin folder. Once done, just apply your way out.

For example, I have installed OpenSSL in E:\Software\OpenSSL, so I will have to use E:\Software\OpenSSL\bin. That’s the place where openssl.exe is. Now, you can open your command prompt and simply type openssl to launch the OpenSSL terminal. We are ready to start to see how to use OpenSSL.

Making your first self-signed certificate

How to use OpenSSL to create a self-signed certificate? It is very easy, and it takes only one command. But before we do that, it is worth mentioning that a self-signed certificate is almost useless. In fact, a certificate is the way a computer has to state its verified identity. With a self-signed certificate, you verify your own identity. With no surprise, nobody will trust you and web browsers will still show the non-secure message.

What is the purpose of self-signed certificates then? Of course, you can use them for tests. However, they can have a valid role in an internal environment, that is not exposed to the Internet. The opposite of a self-signed certificate is a certificate signed by a Certificate Authority (CA). That’s a third-party that most people and systems trust.

Here is the command to generate your certificate.

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

Unfolding the command

This will create a new key and a certificate from it. We will cover what are keys and certificates in a minute, but for now, we should limit to analyze the command, piece by piece.

  • req tells OpenSSL we want to request a certificate
  • -x509 is the standard we are going to apply to our certificate. As X.509 is a well-known standard for public certificates, we should always use this one.
  • -newkey rsa:4096 tells OpenSSL we want to create a new key file, created with RSA and long 4096 bytes.
  • -keyout key.pem identifies the file that will store the key once we created it.
  • -out cert.pem defines the output file that will contain the certificate
  • -days 365 specifies how many days the certificate will be valid.

This command will ask some input. First of all, a passphrase for the key file. As the key file crucial and private you must have a passphrase to open it. Then, it will ask details about the certificate as listed in the table below.

FieldDescription
Country NameThe country code of the country where the organization requesting the certificate resides.
State or ProviceAlways refer to the organization requesting the certificate.
LocalityTypically the city.
Organization NameName of the organization requesting the certificate (e.g. company name).
Organizational Unit (OU)The department within the organization requesting the certificate.
Common Name (CN)The FQDN or the name you wish to secure with the certificate (e.g. example.com).
Certificate Fields

The information you provide will appear in the certificate.

Keys and Certificates

Why do we need a key? Can’t we just generate a certificate? Since we are talking about how to use OpenSSL to create certificates, we should say a few words on why we need keys. In the end, we are going through all this trouble to encrypt the traffic between our website and its users. Encryption means secrecy, confidentiality. In other words, it means your website – and only it – should have the ability to claim itself as “your website”. In other words, if you have a server running example.com, you want only your server to declare himself as example.com. Any other server should not be able to do that.

And that’s when the key enters the picture. You (and thus your servers) are the only one to know the key. You never share it with anyone, it is a private key. With the key, you can claim the identity described in the certificate. If you lose the key, the certificate is worthless. Then, you share your certificate with the world to prove your identity. You encrypt the traffic using the key, and users can be sure it is coming from the legitimate owner of the certificate.

In this way, you don’t tie yourself to IP addresses. You can move the certificate anywhere, as long as you move the key with it.

Introducing the CSR

The CSR is the cherry on the cake. As we said before, self-signed certificates have only a limited use. You want a certificate signed by a CA, but do have one you need to make a request. Furthermore, you need to bind it to your key, without actually sharing the key. How do you do that? With a CSR, a Certificate Signing Request.

That’s right, the CSR is just what the name says. It is a piece of test that you can give to any CA, and it basically tells “Hey, Sign this certificate for me please”. Creating one is very simple, you can use the same command we used before. However, we now change the output from a .pem file to a .csr file. So, the command will look like this.

openssl req -newkey rsa:4096 -keyout key.pem -out request.csr

Now we don’t need to specify the days. That’s because it is something the CA will choose, not us. Most importantly, we don’t need to provide -x509, otherwise we will generate a certificate. Now, you can provide this CSR file to any CA and get a certificate back after paying a fee. Then, you can install it in any web server by providing both key and certificate.

Decoding a CSR

If you open the CSR file, you will see some unreadable text. However, that’s just unreadable to humans. In fact, the CA can read it and generate a certificate accordingly. With OpenSSL, you can also check what does your CSR contains. This is as simple as providing the file name to the following command (in our case the file is request.csr).

openssl req -in request.csr -noout

The command will show you the information about the certificate, including its detail like OU and CN.

Wrapping it up

In this post, we saw how to use OpenSSL. We create a self-signed certificate, a CSR, and then we decoded it. With those basic skills, you are ready to work with certificates in any environment, and you have the tool to go deeper. What do you think about OpenSSL and this process of generating certificates? Let me know in the comments.

Bonus: Self-signed certificates are free, but worthless to the public. CA-signed certificates are valid, but may cost something. What if I want a valid free certificate? You actually have a few option, but if you are setting up a website the best way can be Cloudflare. You will get a CDN plus HTTPS for free. Just read this guide on how to setup your CDN with Cloudflare.

Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.
Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.

Alessandro Maggio

2019-11-14T16:30:55+00:00

Unspecified

Networking

Unspecified