Have you ever heard about SSL Certificates? If not, you have used them for sure. In fact, in July 2018 Google started to consider HTTP sites as non-secure. Since the 24th of July 2018, Google threw warnings to users visiting HTTP sites in Google Chrome. As a result, now all sites have a tiny green lock near their URL. Well, that lock simply means the website has an SSL certificate to secure the connection. And that’s when OpenSSL enters the picture. OpenSSL is a powerful toolkit to create and manage certificates. In this post, we will see how to use OpenSSL to create our first certificate.
How to use OpenSSL
Installing OpenSSL on Windows
Before we start working on how to use OpenSSL, we need to install it first. Doing so is very simple, even on Windows. First, we need to download the OpenSSL binaries, and we can do that from the OpenSSL wiki. Or, take this direct download. In both cases, you will download an executable file you need to run. This is a simple visual setup that you can finish by Next-Next. However, you need to remember the folder where you install OpenSSL.
Once you finished with the install, we need to add OpenSSL to our PATH environment variable. While not required, this is very helpful in day-to-day work. By doing so, you can access OpenSSL from anyplace in your command prompt. Open the start and search for Edit the system Environment Variables, then a dialog will appear. In it, click on Environment Variables, select Path from the list on top, and click “Edit”. Now, click New on the right and write in the new text row that appears the path to your OpenSSL bin folder. Once done, just apply your way out.
For example, I have installed OpenSSL in E:\Software\OpenSSL
, so I will have to use E:\Software\OpenSSL\bin
. That’s the place where openssl.exe is. Now, you can open your command prompt and simply type openssl
to launch the OpenSSL terminal. We are ready to start to see how to use OpenSSL.
Making your first self-signed certificate
How to use OpenSSL to create a self-signed certificate? It is very easy, and it takes only one command. But before we do that, it is worth mentioning that a self-signed certificate is almost useless. In fact, a certificate is the way a computer has to state its verified identity. With a self-signed certificate, you verify your own identity. With no surprise, nobody will trust you and web browsers will still show the non-secure message.
What is the purpose of self-signed certificates then? Of course, you can use them for tests. However, they can have a valid role in an internal environment, that is not exposed to the Internet. The opposite of a self-signed certificate is a certificate signed by a Certificate Authority (CA). That’s a third-party that most people and systems trust.
Here is the command to generate your certificate.
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Unfolding the command
This will create a new key and a certificate from it. We will cover what are keys and certificates in a minute, but for now, we should limit to analyze the command, piece by piece.
req
tells OpenSSL we want to request a certificate-x509
is the standard we are going to apply to our certificate. As X.509 is a well-known standard for public certificates, we should always use this one.-newkey rsa:4096
tells OpenSSL we want to create a new key file, created with RSA and long 4096 bytes.-keyout key.pem
identifies the file that will store the key once we created it.-out cert.pem
defines the output file that will contain the certificate-days 365
specifies how many days the certificate will be valid.
This command will ask some input. First of all, a passphrase for the key file. As the key file crucial and private you must have a passphrase to open it. Then, it will ask details about the certificate as listed in the table below.
Field | Description |
---|---|
Country Name | The country code of the country where the organization requesting the certificate resides. |
State or Provice | Always refer to the organization requesting the certificate. |
Locality | Typically the city. |
Organization Name | Name of the organization requesting the certificate (e.g. company name). |
Organizational Unit (OU) | The department within the organization requesting the certificate. |
Common Name (CN) | The FQDN or the name you wish to secure with the certificate (e.g. example.com). |
The information you provide will appear in the certificate.
Keys and Certificates
Why do we need a key? Can’t we just generate a certificate? Since we are talking about how to use OpenSSL to create certificates, we should say a few words on why we need keys. In the end, we are going through all this trouble to encrypt the traffic between our website and its users. Encryption means secrecy, confidentiality. In other words, it means your website – and only it – should have the ability to claim itself as “your website”. In other words, if you have a server running example.com, you want only your server to declare himself as example.com. Any other server should not be able to do that.
And that’s when the key enters the picture. You (and thus your servers) are the only one to know the key. You never share it with anyone, it is a private key. With the key, you can claim the identity described in the certificate. If you lose the key, the certificate is worthless. Then, you share your certificate with the world to prove your identity. You encrypt the traffic using the key, and users can be sure it is coming from the legitimate owner of the certificate.
In this way, you don’t tie yourself to IP addresses. You can move the certificate anywhere, as long as you move the key with it.
Introducing the CSR
The CSR is the cherry on the cake. As we said before, self-signed certificates have only a limited use. You want a certificate signed by a CA, but do have one you need to make a request. Furthermore, you need to bind it to your key, without actually sharing the key. How do you do that? With a CSR, a Certificate Signing Request.
That’s right, the CSR is just what the name says. It is a piece of test that you can give to any CA, and it basically tells “Hey, Sign this certificate for me please”. Creating one is very simple, you can use the same command we used before. However, we now change the output from a .pem file to a .csr file. So, the command will look like this.
openssl req -newkey rsa:4096 -keyout key.pem -out request.csr
Now we don’t need to specify the days. That’s because it is something the CA will choose, not us. Most importantly, we don’t need to provide -x509
, otherwise we will generate a certificate. Now, you can provide this CSR file to any CA and get a certificate back after paying a fee. Then, you can install it in any web server by providing both key and certificate.
Decoding a CSR
If you open the CSR file, you will see some unreadable text. However, that’s just unreadable to humans. In fact, the CA can read it and generate a certificate accordingly. With OpenSSL, you can also check what does your CSR contains. This is as simple as providing the file name to the following command (in our case the file is request.csr
).
openssl req -in request.csr -noout
The command will show you the information about the certificate, including its detail like OU and CN.
Wrapping it up
In this post, we saw how to use OpenSSL. We create a self-signed certificate, a CSR, and then we decoded it. With those basic skills, you are ready to work with certificates in any environment, and you have the tool to go deeper. What do you think about OpenSSL and this process of generating certificates? Let me know in the comments.
Bonus: Self-signed certificates are free, but worthless to the public. CA-signed certificates are valid, but may cost something. What if I want a valid free certificate? You actually have a few option, but if you are setting up a website the best way can be Cloudflare. You will get a CDN plus HTTPS for free. Just read this guide on how to setup your CDN with Cloudflare.