OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
Certificate Generation Workflow
1. Generate a Private Key
# Generate a 2048-bit RSA private key
openssl genrsa -out domain.key 2048
# Generate a 4096-bit RSA private key
openssl genrsa -out domain.key 40962. Generate a Certificate Signing Request (CSR)
You will send this CSR to a Certificate Authority (CA) to get your signed certificate.
openssl req -new -key domain.key -out domain.csr3. Generate a Self-Signed Certificate (For Testing)
Generate the key and a self-signed certificate valid for 365 days in one command.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout domain.key -out domain.crtViewing and Verifying Certificates
# Check a CSR
openssl req -text -noout -verify -in domain.csr
# Check a Private Key
openssl rsa -in domain.key -check
# Check a Certificate
openssl x509 -in domain.crt -text -nooutVerifying Key/CSR/Cert Match
To ensure your private key, CSR, and certificate all belong together, their modulus hashes must match exactly.
openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl rsa -noout -modulus -in domain.key | openssl md5
openssl req -noout -modulus -in domain.csr | openssl md5Format Conversions
# Convert PEM to DER
openssl x509 -outform der -in domain.pem -out domain.der
# Convert DER to PEM
openssl x509 -inform der -in domain.der -out domain.pem
# Convert PEM to PKCS12 (.pfx or .p12) (Often used by Windows/IIS)
openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.crt -certfile ca-bundle.crtTesting Live Connections
You can use OpenSSL to debug HTTPS connections to a remote server.
# Connect to an HTTPS server and view certificate details
openssl s_client -connect example.com:443
# Check specific protocols (e.g., test if TLS 1.2 is supported)
openssl s_client -connect example.com:443 -tls1_2