BestHub
Sign in
Information Security 4 min read

How to Generate SSL/TLS Certificates with OpenSSL: Step‑by‑Step Guide

This guide explains how to use OpenSSL to create private keys, certificate signing requests, and signed SSL/TLS certificates, covering key generation, password removal, PEM creation, extension configuration, and the final issuance of server.crt and server.key files.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
How to Generate SSL/TLS Certificates with OpenSSL: Step‑by‑Step Guide

Tool Introduction

OpenSSL is an implementation tool for the SSL/TLS protocol.

key is a private key file used to encrypt data sent to the client and decrypt data received from the client.

csr is a Certificate Signing Request file submitted to a Certificate Authority (CA) for certificate signing.

crt is the certificate signed by the CA or a self‑signed certificate, containing the holder’s information, public key, and the signer’s signature.

Operation Steps

1. Generate Certificate

Generate private key

openssl genrsa -des3 -out myCA.key 2048
## openssl genrsa generates an RSA private key; the public key is derived from it
## -des3 specifies the encryption method
## 2048 is the key length
## Adding -nodes disables encryption, avoiding the need to remove the password later

Remove the password from the private key openssl rsa -in myCA.key -out myCA.key Generate PEM file

openssl req -utf8 -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

2. Create CA‑signed Certificate

Generate private key openssl genrsa -out server.key 2048 Create Certificate Signing Request

openssl req -new -key server.key -out server.csr
## Common Name should match the domain name to avoid browser warnings

Create an extension configuration file

cat > server.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.baidu.com # Include the domain name here because Common Name alone is often ignored
DNS.2 = www.sougou.com # Optional additional domain
IP.1 = 192.168.1.1  # Optional IP address if needed
EOF
## Chrome checks that the current domain appears in the certificate’s subjectAltName field

Create the signed certificate

openssl x509 -req -in server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile server.ext

Resulting certificate files

server.crt

server.key

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

SecurityOpenSSLTLSCertificateSSLcryptography
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment