OpenSSL is a tool to manage certificates and SSL connections.
In this tutorial you will learn how to create certificates in general, as creating your own CA (certificate authority) or creating a CSR (certificate signing request) for a known CA sign for you.
Every certificate has two parts, the private key and the public certificate. The certificate is used to encrypt data and the private key is used to decrypt this data, thats why it’s called a private key since it will be used to read the encrypted data that was sent privately to you or your site.
This private key should never been sent to people you don’t trust, never. The certificate is different, it’s public and everyone can have it and your website will promptly show it to everyone trying to connect in a secure way.
To know if a certificate is valid and true it must be signed by an entity called Certificate Authority, or just CA. This CA will be trust by your browser or yourself and assumes the responsibility about the known state of your site. Saying plainly, the CA assumes to the user that you are who you are telling them you are.
You can also create your own CA to sign locally your certificates, this is widely used inside enterprise and in secondary servers like mail servers. This should not be used in a website except when all your users know your CA like in the case you have an e-commerce site for affiliates when they all have your CA installed, otherwise their browser will say the certificate is invalid and the site is not secure!
To generate an OpenSSL self-signed CA use the following code, the ca.key will have your private CA key, and ca.crt will have your CA certificate, you will have to install this ca.crt in browsers to use this key in a secure way:
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt
To generate a CSR file for a CA sign later you use the following, the client.key have your private key and client.csr have your CSR file, you only send the CSR file to the CA, never send the client.key file!
openssl genrsa -des3 -out client.key 4096 openssl req -new -key client.key -out client.csr
If you are using an outside CA you can stop here, otherwise to use your own CA to sign the certificate you use the following, the client.crt will have your public certificate, if you are generating multiple certificates you should set the serial number different, in this case is just 01:
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
If you need to export the private key to PKCS12 format:
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
If you need in PEM format:
openssl pkcs12 -in client.p12 -out client.pem -clcerts