How to Generate SSL/TLS Certificates with OpenSSL – Step‑by‑Step Guide

Tool Introduction

OpenSSL is the implementation tool for the SSL/TLS protocol.

key is the private key file used to encrypt data sent to the client and decrypt data received from the client.

csr is a Certificate Signing Request file submitted to a Certificate Authority (CA) for signing.

crt is the certificate signed by a CA or self‑signed, containing the holder’s information, public key, and the signer’s signature.

Operation Steps

1. Generate Certificate

Generate private key

openssl genrsa -des3 -out myCA.key 2048
## openssl genrsa generates an RSA private key; the public key is derived from it
## -des3 specifies the encryption method
## 2048 sets the key length
## Adding -nodes disables encryption, avoiding the need to remove the password later

Remove the password from the private key openssl rsa -in myCA.key -out myCA.key Generate PEM file

openssl req -utf8 -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

2. Create CA‑signed Certificate

Generate server private key openssl genrsa -out server.key 2048 Create Certificate Signing Request

openssl req -new -key server.key -out server.csr
## Common Name should match the domain name to avoid browser warnings

Create an extension configuration file (server.ext)

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.baidu.com # include domain name; Common Name alone is often ignored
DNS.2 = www.sougou.com # optional additional domain
IP.1 = 192.168.1.1   # optional IP address if needed

Generate the signed certificate

openssl x509 -req -in server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile server.ext

Resulting certificate files:

server.crt

server.key