Written the 12/12/2010, translated the 01/05/2015.

OpenSSL is the ultimate tool to encrypt, decrypt, authenticate files, text...

Why SSL Certificates

Even if a communication is encrypted, you might not be sure of your correspondent identity.

It's where Certificate Authorities are used. Those CA own a private key they use to validate certificates you can issue.

As a result, you'll get a personal certificate (with your private key) signed by a trusted authority.

On Firefox, you can see root certificates (CA) under

Tools / Options / Advanced / Display certificates / Authorities

Generating certificates

Private key

Use the following command :

openssl genrsa -des3 -out privatekey.pem 1024

OpenSSL will propose to encrypt the key with a passphrase.

You can display your generated key with :

openssl rsa -in privatekey.pem

Certificate Authority generation

Issue the CA certificate with the following command :

openssl req -new -x509 -days 3650 -key privatekey.pem -out cacert.crt

Fill the form (country, name, email...).

Certificate request

Quite the same command in the previous section but without x509

openssl req -new -days 3650 -key mysecondprivatekey.pem -out mycert.csr

Signing a certificate

openssl x509 -req -in mycert.csr -out mycert.crt -CA cacert.crt -CAkey privatekey.pem -CAcreateserial -days 3650