If you’ve ever wanted to feel like a tech wizard, creating SSL keys with OpenSSL is one of those cool tricks that make you look like you know all the secrets of the internet. Let’s make it simple, fun, and sprinkle in some extra magic tricks along the way!
Step 1: Casting the CSR Spell
First, let’s create a CSR (Certificate Signing Request) and a private key in just one line:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csrBoom! Now you’ve got two things:
- yourdomain.key – This is your private key. Keep it safe.
- yourdomain.csr – This is your CSR, which you’ll send to a Certificate Authority (CA) to get an SSL certificate.
When you run the command, OpenSSL will prompt you for some information to include in the CSR. Here’s what you’ll need to fill out:
- Country Name (C): The two-letter country code (e.g.,
MUfor Mauritius). - State or Province Name (ST): Your region or state.
- Locality Name (L): Your city or town.
- Organization Name (O): Your company name, or just a fun name if it’s personal.
- Organizational Unit (OU): This is optional. You can leave it blank if you want.
- Common Name (CN): The most important one! This is usually your domain name (e.g.,
exampledomain.com).
You’ll also have options to provide an email address, a challenge password, and an optional company name. But, those fields are optional!
Step 2: How to Verify if a Private Key Matches a Certificate
Want to double-check if your private key and certificate are a match made in encryption heaven? Run these two commands:
openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl rsa -noout -modulus -in privkey.txt | openssl md5If the output matches, your key and cert are best buds!
Step 3: More Fun with OpenSSL (For the Overachievers)
Feeling fancy? Here are some extra tricks you can do with OpenSSL:
- Convert PEM + Key to PFX:
openssl pkcs12 -export -in pemexample.pem -inkey private.pkey -out cert.pfx- Convert PFX to PEM (cert + chain only):
openssl pkcs12 -in example.pfx -out example-cert-and-chain.pem -nokeys -nodes- Extract a Decrypted Key from a PFX:
When extracting the decrypted key, OpenSSL will prompt you for the PFX file’s password. After you provide it, the key will be decrypted:
openssl pkcs12 -in example.pfx -nocerts -nodes -out example-decrypted-key.key- Convert PFX to CER only:
openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.cer- Extract the Chain from a PFX:
openssl pkcs12 -in example.pfx -nodes -nokeys -cacerts -out example-chain.pem- Decrypt an Encrypted Private Key:
When you run this command to decrypt an encrypted private key, OpenSSL will prompt you for the key’s password:
openssl rsa -in example-encrypted-key.key -out example-decrypted-key.key- Convert PFX to PEM (key, cert, and chain):
openssl pkcs12 -in example.pfx -out combined.pem -nodesWrapping Up
There you have it—you’re now an OpenSSL pro! Whether you’re generating a CSR, converting files, or verifying certificates, you’ve got a whole toolkit of OpenSSL tricks up your sleeve. Go ahead, secure those servers, and impress everyone with your new skills! 🔒✨
