top of page

Programmers T-shirts

How to create an SSL certificate with OpenSSL

In the last tutorial we went over the basics of SSL certificates

In this tutorial we'll see how we can generate a new certificate - self-signed and CA-signed.

We'll use OpenSSL which is currently the most powerful SSL library out there.

Creation process

How to generate a self-signed certificate

  1. Generate private key.

  2. Generate Certificate Signing Request (CSR).

  3. Sign the CSR using our private key.

How to generate a CA signed certificate

  1. Generate a self-signed certificate and a private key - this will be the CA that will sign our end-user certificate.

  2. Generate private key.

  3. Generate Certificate Signing Request (CSR).

  4. Sign the CSR using the CA's private key.

Note: a CA can be either a local CA that is managed by us or our organization or a global CA, which is managed by an outside company, and is trusted by all browsers and OSs.

In order for global CA to sign our CSR we will need to prove ownership of our domain.

There are a few ways to do so, the most popular ones are: Email, TXT code, HTTP and CNAME.

Generate a self-signed certificate

1. Generate a private key -

openssl genrsa -out private-key.pem 2048

2. Generate CSR

openssl req -new -key private-key.pem -out csr.pem

We will need to provide the following parameters:

a. Country Name: in two digits - e.g us.

b. State or Province Name

c. Locality Name: city

d. Organization Name

e. Organizational Unit Name

f. Common Name: a fully qualified domain name (FQDN), or in other words - the domain, e.g

g. Email Address

3. Sign that CSR

openssl x509 -req -days 365 -in csr.pem -signkey private-key.pem -sha256 -out cert.pem

At this point we should have a cert.pem and a private-key.pem. We need to keep both, while the certificate is a public entity, which we can share with anyone, the private key should remain private and should be kept in a secured place.

BTW, we can generate a self-signed certificate using a single command:

openssl req -x509 -sha256 -days 356 -nodes -newkey rsa:2048 -out cert.pem -keyout private-key.pem

Generate a CA-signed certificate

This process shows how to generate a CA signed certificate with Subject Alternative Names.

1. Generate a self-signed certificate - this will be the CA certificate

openssl req -x509 -sha256 -days 720 -nodes -newkey rsa:2048 -out caCert.pem -keyout caKey.pem

2. Generate a private key for the end user certificate

openssl genrsa -out user-private-key.pem 2048

3. Generate CSR for the end user certificate

openssl req -new -key user-private-key.pem -out user-csr.pem

4. Sign the CSR with the CA certificate and CA private key

First we need to create a cnf configuration file with the domains we want our certificate to cover.

Paste the following content in a file name req.cnf

*make sure to put the correct DNS.1 and DNS.2 values.

distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
C = us
ST = califiornia
L = some city
O = some org
OU = example org unit
CN =
subjectAltName = @alt_names
DNS.1 = *
DNS.2 =

Then run the following command

openssl x509 -req -in user-csr.pem -days 365 -CA caCert.pem -CAkey caKey.pem -out user-cert.pem -set_serial 11111 -extensions v3_req -extfile req.cnf

Issue certificate through a global CA

When we need a certificate for the public web (e.g for our website), we must issue it using one of the globally trusted CAs (e.g Let's Encrypt, Digi Cert..).

Usually we will not need to run any OpenSSL commands, sometimes we will be requested to create only the private key and the CSR.

Once we have the CSR we will need to send it to the CA, with the server and the domain information.

Once the CA gets the request, we will need to prove our ownership on the domain.

In the next tutorial we will see how we can parse the content of the certificate and the CSR.


Practical Programming Tutorials for Developers

Work Desk

The SW Developer

The SW Developer was built in order to provide Practical and Simple Tutorials for programmers.

Created by Dotan Raz, Michael Rodov & Kobi Atiya

  • github
  • LinkedIn


Programmers T-shirts

bottom of page