OpenSSL has been one of the most widely used certificate management and generation pieces of software for much of modern computing.
OpenSSL can also be seen as a complicated piece of software with many options that are often compounded by the myriad of ways to configure and provision SSL certificates.
OpenSSL is usually included in most Linux distributions. In the case of Ubuntu, simply running apt install OpenSSL will ensure that you have the binary available and at the newest version. OpenSSL on Windows is a bit trickier as you need to install a pre-compiled binary to get started.
One such source providing pre-compiled OpenSSL binaries is the following site by SLProWeb. Offering both executables and MSI installations, the recommended end-user version is the Light x64 MSI installation. The default options are the easiest to get started.
Verify that the installation works by running the following command. Note that this command was run in the PowerShell environment (hence the & preceding the command).
& "C:\\Program Files\\OpenSSL-Win64\\bin\\openssl.exe" version
To make running this command easier, you can modify the path within PowerShell to include the executable $Env:Path = $Env:Path + ";C:\\Program Files\\OpenSSL-Win64\\bin"
There are many different ways to generate certificates, but the use cases that usually come up are the following.
A common server operation is to generate a self-signed certificate. There are many reasons for doing this such as testing or encrypting communications between internal servers. The command below generates a private key and certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout private.key -out certificate.crt
Let's break down the various parameters to understand what is happening.
Once the certificate has been generated, we should verify that it is correct according to the parameters that we have set.
openssl x509 -in certificate.crt -text -noout
The parameters here are for checking an x509 type certificate. The combination allows the certificate to be output in a format that is more easily readable by a person.
The next most common use case of OpenSSL is to create certificate signing requests for requesting a certificate from a certificate authority that is trusted.
openssl req -new -newkey rsa:2048 -nodes -out request.csr -keyout private.key
Similar to the previous command to generate a self-signed certificate, this command generates a CSR. You will notice that the -x509, -sha256, and -days parameters are missing. By leaving those off, we are telling OpenSSL that another certificate authority will issue the certificate. In this case, we are leaving the -nodes option on to not prompt for a password with the private key.
To verify that the CSR is correct, we once again run a similar command but with an added parameter, -verify. This command will validate that the generated CSR is correct. This is a prudent step to take before submitting to a certificate authority.
openssl req -in request.csr -text -noout -verify
OpenSSL is a complex and powerful program. Although this article just scratches the surface of what can be done, these are common and important operations that are generally performed by system administrators. There is much more to learn, but with this as a starting point, an IT professional will have a great foundation to build on!
Adam Bertram is a 20-year veteran of IT. He’s currently an automation engineer, blogger, independent consultant, freelance writer, author, and trainer. Adam focuses on DevOps, system management, and automation technologies as well as various cloud platforms. He is a Microsoft Cloud and Datacenter Management MVP and efficiency nerd that enjoys teaching others a better way to leverage automation.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.
Learn MoreSubscribe to get all the news, info and tutorials you need to build better business apps and sites