• To generate an RSA key:

openssl genrsa -out <filename to save key to> <bitstrength of key>
eg: to generate a 4096-bit key and save it to “private.key”, run the following command – openssl genrsa -out private.key 4096

  • To generate an Elliptic Curve key:

openssl ecparam -out <filename to save key to> -name <curve to use> -genkey

eg. to generate a key using the secp521r1 curve (NIST curves seem to be supported by more TLS enabled applications), run the following command – openssl ecparam -out wildcard.fishbowl.lan.key -name secp521r1 -genkey

  • To generate a CSR (aka Certificate Signing Request) from a key:

openssl req -sha256 -new -key <key filename> -out <csr filename>
it is recommended to use -sha256 as -sha1 (default setting) is not considered secure anymore
Example command is: openssl req -new -sha256 -key private.key -out private.csr

  • To sign a CSR with your CA (Certificate Authority) certificate:

openssl ca -keyfile <CA certificate key file> -cert <CA public certificate file> -notext -md sha512 -days <validity length, usually multiples of 365> -in <CSR file> -out <public certificate file>
It is recommended to use -md sha512 for security purposes
Example command is: openssl ca -keyfile rootCA.key -cert rootCA.crt -notext -md sha512 -days 730 -in private.csr -out public.crt

Sidenote: to use a section of your openssl.conf to, for instance, create an intermediate certificate, include the parameter “-extensions v3_intermediate_ca”

  • To generate a self-signed CA certificate from your CSR (used to sign your other certificates):

openssl req -new -x509 -days <length of validity> -key <keyfile> -out <CA certificate file>
It is recommended to specify a long duration for -days since once your root CA certificate becomes invalid, so do all the certificates it was used to sign.
Example command is: openssl req -new -x509 -days 3650 -key rootCA.key -out rootCA.crt

  • To convert a separate x509 PEM encoded certificate and keyfile to a single file (for instance, client certificate authentication purposes) to a PKCS12/PFX format:

openssl pkcs12 -export -out <PFX file> -inkey <Private key file> -in <Public certificate file> -certfile <CA file used to sign original public certificate>
Example command is: openssl pkcs12 -export -out client-auth.pfx -inkey private.key -in public.crt -certfile rootCA.crt

  • To check the information in a certificate file:

openssl x509 -in <certificate file> -text -noout
This will display all the certificate information in the terminal. Hopefully no example command is needed.