Written the 12/12/2010, translated the 01/05/2015.
OpenSSL is the ultimate tool to encrypt, decrypt, authenticate files, text...
Why SSL Certificates
Even if a communication is encrypted, you might not be sure of your correspondent identity.
It's where Certificate Authorities are used. Those CA own a private key they use to validate certificates you can issue.
As a result, you'll get a personal certificate (with your private key) signed by a trusted authority.
On Firefox, you can see root certificates (CA) under
Tools / Options / Advanced / Display certificates / Authorities
Use the following command :
openssl genrsa -des3 -out privatekey.pem 1024
genrsa: is the command to generate a key
des3: is the type of the key (DES)
out: followed by a filename
1024: the size of the key. Default is 512.
OpenSSL will propose to encrypt the key with a passphrase.
You can display your generated key with :
openssl rsa -in privatekey.pem
Certificate Authority generation
Issue the CA certificate with the following command :
openssl req -new -x509 -days 3650 -key privatekey.pem -out cacert.crt
Fill the form (country, name, email...).
req: summon certificate generator
new: new certificate request
x509: create self-signed certificate instead of a request (what clients send to CA)
days: number of days the certificate is valid
key: which private key to use
out: the filename of the certificate
Quite the same command in the previous section but without
openssl req -new -days 3650 -key mysecondprivatekey.pem -out mycert.csr
Signing a certificate
openssl x509 -req -in mycert.csr -out mycert.crt -CA cacert.crt -CAkey privatekey.pem -CAcreateserial -days 3650
x509: summon certificate manager
CA: Certificate issued by the Authority
CAkey: CA's private key
CAcreateserial: creates a serial