openssl Reference

Kip Landergren

August 22, 2019 (Updated: November 07, 2023)

My cheat sheet for openssl covering key creation, self-signed certificates and helpful documentation links.

Version
Common Operations
- Generate a self-signed root Certificate Authority
- How to Generate a Self-Signed Certificate
Documentation

Version

The following assumes openssl version 1.1.1.

Common Operations

Generate a self-signed root Certificate Authority

Generate a 2048-bit RSA private key named ca.key:

openssl genrsa -out ca.key 2048

Create a new self-signed root Certificate Authority from ca.key, do not encrypt the private key, use a Common Name (CN) of example.com, use a custom config file that contains the v3 extension we want to use and specify it, and finally output the file as ca.crt:

openssl req -x509                            \
  -new                                       \
  -key ca.key                                \
  -nodes                                     \
  -subj "/CN=example.com"                    \
  -config /usr/local/etc/openssl/openssl.cnf \
  -reqexts v3_req                            \
  -extensions v3_ca                          \
  -out ca.crt

Inspect the generated ca.crt as text:

openssl x509 -in ca.crt \
             -text      \
             -noout

How to Generate a Self-Signed Certificate

openssl req -x509                            \
  -new                                       \
  -newkey rsa:2048                           \
  -keyout path/to/your-new.key               \
  -nodes                                     \
  -days 3650                                 \
  -subj "/CN=example.com"                    \
  -addext "subjectAltName = DNS:example.com" \
  -out path/to/your-new.crt

Documentation

The man page for openssl is generally a good start.

Official Documentation