Openssl New Key

Openssl pkcs12 -info -in INFILE.p12. In this case, you will be prompted to enter and verify a new password after OpenSSL outputs any certificates, and the private key will be encrypted (note that the text of the key begins with -BEGIN ENCRYPTED PRIVATE KEY-).

  1. Openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out req.pem Lets review the command: req activates the part of openssl that deals with certificate requests signing-new generate a new request-newkey generate a new private key; rsa:1024 1024 is the bit length of the private key. Alternative you can use 2048 and 512, for larger.
  2. Openssl req -x509 -new -nodes -key testCA.key -sha256 -days 365 -out testCA.crt -config localhost.cnf -extensions v3ca -subj '/CN=SocketTools Test CA' This tells OpenSSL to create a self-signed root certificate named 'SocketTools Test CA' using the configuration file you created, and the private key that was just generated.
  3. It is recommended to issue a new private key whenever you are generating a CSR. If, for any reason, you need to generate a certificate signing request for an existing private key, use the following OpenSSL command: openssl req -out CSR.csr -key privateKey.key -new Option 3: Generate a CSR for an Existing Certificate and Private Key.

One of the most versatile SSL tools is OpenSSL which is an open source implementation of the SSL protocol. There are versions of OpenSSL for nearly every platform, including Windows, Linux, and Mac OS X. OpenSSL is commonly used to create the CSR and private key for many different platforms, including Apache. However, it also has hundreds of different functions that allow you to view the details of a CSR or certificate, compare an MD5 hash of the certificate and private key (to make sure they match), verify that a certificate is installed properly on any website, and convert the certificate to a different format. A compiled version of OpenSSL for Windows can be found here.

If you don't want to bother with OpenSSL, you can do many of the same things with our SSL Certificate Tools. Below, we have listed the most common OpenSSL commands and their usage:

General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

  • Generate a new private key and Certificate Signing Request
  • Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)
  • Generate a certificate signing request (CSR) for an existing private key
  • Generate a certificate signing request based on an existing certificate
  • Remove a passphrase from a private key

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

  • Check a Certificate Signing Request (CSR)
  • Check a private key
  • Check a certificate
  • Check a PKCS#12 file (.pfx or .p12)

Debugging Using OpenSSL

If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.

  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
  • Check an SSL connection. All the certificates (including Intermediates) should be displayed

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

  • Convert a DER file (.crt .cer .der) to PEM
  • Convert a PEM file to DER
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

Originally posted on Sun Jan 13, 2008

OpenSSL is the de-facto tool for SSL on linux and other server systems. It providers both the library for creating SSL sockets, and a set of powerful tools for administrating an SSL enabled website. Following are a few common tasks you might need to perform with OpenSSL.

Generate a certificate request

Obtaining a signed SSL certificate envolves a number of buisness verification procedures and a sumbition of what is called a CSR ('Certificate signing request'). To generate the CSR, execute the following command.

openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out req.pem

Lets review the command:

  • req activates the part of openssl that deals with certificate requests signing
  • -new generate a new request
  • -newkey generate a new private key
  • rsa:1024 1024 is the bit length of the private key. Alternative you can use 2048 and 512, for larger or smaller keys but, please note that the strength of the key should match the type of service your certificate authority is providing to you.
  • -nodes no des, stores the private key without protecting it with a passphrase. While this is not considered to be best practice, many people do not set a passphrase or later remove it, since services with pass phrase protected keys can not be auto-restarted without typing in the passphrase
  • -keyout key.pem store the private key in a file called key.pem
  • -out req.pem store the certificate request in a file called req.pem

This command will run interactivly and ask you a number of questions, please note that your answers will be double and cross checked by your certificate authority and that your answers must match any other legal documents regarding the registration of your company. Following are tips for proper answers:

Fill in your companies two letter country code, consult wikipedia if you are unsure which code to use.

Country Name (2 letter code) [AU]:
Openssl New Key

State for US, large administrative district for other countries:

State or Province Name (full name) [Some-State]:


Locality Name (eg, city) []:

Full company name, please copy this letter to letter from your companies registration forms. A difference such as using the sign & instead of the word 'and' might cause your request to be rejected.

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Company sub-division or a product name

Organizational Unit Name (eg, section) []:

Your domain name, or in case of wildcard certificates, use an astrisk, like this: *

Common Name (eg, YOUR name) []:

Email to be displayed with the certificate

Email Address []:

Double check the information by using this command on your newly generated request:

openssl req -in req.pem -noout -text

Save your private key file, named key.pem, in a secure location. It will later be used to configure your web server. The request file, req.pem, should be sent to your certificate authority for signing.

Generate a self-signed key

You can generate a self-signed key for a development servers by following those steps:

Create an empty directory and step in to it. Execute the following command, please note that the backslash (') sign allow a single command to span over a number of lines. In our case it is used to fit the command in this document:

$ openssl req -x509 -days 365 -nodes -newkey rsa:1024  -keyout key.pem -out cert.pem

You can hit enter as an answer to all the questions to set the default except this one:

Openssl New Key
Common Name (eg, YOUR name) []:
Openssl New Key

type in the dns record used for your development server as an answer to this one.


Thats it, two new PEM files will be created, 'cert.pem' containing your certificate and 'key.pem' containing the self signed key.

Openssl New Key

Testing SSL servers

You can use the OpenSSL built in client to connect to a web server and display the certificate chain. Replace your server address and port with your own:

$ openssl s_client -connect -showcerts

Openssl Newkey Ed25519

Here is a typical output, with the certificate chain displayed:

CONNECTED(00000003)depth=1 O = CA, OU = 'CA', OU = CA, OU = CAverify error:num=20:unable to get local issuer certificateverify return:0---Certificate chain 0 s:/C=US/ST=California/L=Palo Alto/O=mysite/ i:/O=CA/OU=CA/OU=CA/OU=CA-----BEGIN CERTIFICATE-----MIIDnzCCAwigAwIBAgIQCSGX4cDpzQPaNSQ2VhCGgTANBgkqhkiG9w0BAQUFADCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VyA .... MANY LINES LIKE THAT .... .... MANY LINES LIKE THAT .... gjRaROuWGxfY25KebCQpoBW2PJp3S1JmqHHyxjk4mzr+tzWK0Qn+tlBUy9igtkIhVybjO+AxBZve1qyJIsVraz8wrw-----END CERTIFICATE----- 1 s:/O=CA/OU=CA/OU=CA/OU=CA i:/C=US/O=CA/OU=CA-----BEGIN CERTIFICATE-----MIIDgzCCAuygAwIBAgIQRvzrurTQLw+SYJgjP5MHjzANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwA .... MANY LINES LIKE THAT .... .... MANY LINES LIKE THAT .... OfamggNlEcS8vy2m9dk7CrWY+rN4uR7yK0xi1f2yeh3fM/1z+aXYLYwq6tH8sCi26UlIE0uDihtIeyT3ON5vQVS4q1drBt/HotSp9vE2YoCI8ot11oBx-----END CERTIFICATE--------Server certificatesubject=/C=US/ST=California/L=Palo Alto/O=mysite/CN=mysite.comissuer=/O=CA/OU=CA/OU=CA/OU=CA---No client certificate CA names sent---SSL handshake has read 2007 bytes and written 343 bytes---New, TLSv1/SSLv3, Cipher is RC4-MD5Server public key is 1024 bitSecure Renegotiation IS NOT supportedCompression: NONEExpansion: NONESSL-Session: Protocol : SSLv3 Cipher : RC4-MD5 Session-ID: 244BE55....48F793 Session-ID-ctx: Master-Key: 18674D2....B3465946941C0C77DF2DE Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1325335498 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate)---

Openssl Create Key File

you can copy parts of the output to a PEM file and further inspect them with the verify openssl command.