Common OpenSSL Commands with Keys and Certificates. Generate RSA private key with certificate in a single command openssl req -x509 -newkey rsa:4096 -sha256 -keyout example.key -out example.crt -subj '/CN=example.com' -days 3650 -passout pass:foobar Generate Certificate Signing Request (CSR) from private key with passphrase. A certificate.crt and privateKey.key can be extracted from your Personal Information Exchange file (certificate.pfx) using OpenSSL. Follow this article to create a certificate.crt and privateKey.key files from a certificate.pfx file.

• Public Private Key Encryption
• Domain.com Crt Generate Private Key From Crt File
• Private Key Definition
• Advantages Of Private Key Encryption

• Related Questions & Answers

• Selected Reading

OpenSSL is a CLI (Command Line Tool) which can be used to secure the server to generate public key infrastructure (PKI) and HTTPS. This article helps you as a quick reference to understand OpenSSL commands which are very useful in common, and for everyday scenarios especially for system administrators.

Certificate Signing Requests (CSRs)

If we want to obtain SSL certificate from a certificate authority (CA), we must generate a certificate signing request (CSR). A CSR consists of mainly the public key of a key pair, and some additional information. Both these components are merged into the certificate whenever we are signing for the CSR.

While generating a CSR, the system will prompt for information regarding the certificate and this information is called as Distinguished Name (DN). The important field in the DN is the Common Name (CN) which should be the FQND (Fully Qualified Domain Name) of the server or the host where we intend to use the certificate with.

The next item in a DN is to provide the additional information about our business or organization. If we purchase an SSL certificate from a certificate authority (CA), it is very important and required that these additional fields like “Organization” should reflect your organization for details.

Here is a general example for the CSR information prompt, when we run the OpenSSL command to generate the CSR.

We can also provide the information by non-interactive answers for the CSR information generation, we can do this by adding the –subj option to any OpenSSL commands that we try to generate or run.

Below is an example for the –subj option where we can provide the information of the organization where we want to use this CSR.

Generating CSRs

In this section, we will cover about OpenSSL commands which are related to generating the CSR. This CSR can be used to request an SSL certificate from a certificate authority.

Generate a Private Key and a CSR

If we want to use HTTPS (HTTP over TLS) to secure the Apache or Nginx web servers (using a Certificate Authority (CA) to issue the SSL certificate). Also, the ‘.CSR’ which we will be generating has to be sent to a CA for requesting the certificate for obtaining CA-signed SSL.

Below is the command to create a 2048-bit private key for ‘domain.key’ and a CSR ‘domain.csr’ from the scratch.

The ‘–newkey rsa:2048’ is the option which we are specifying that the key should be 2048-bit using the RSA algorithm. The ’ –nodes’ option is to specifying that the private key should not be encrypted with a pass phrase. The ‘-new’ option, indicates that a CSR is being generated.

Generate a CSR from an Existing Private Key

Here we will learn about, how to generate a CSR for which you have the private key.

Below is the command to create a new .csr file based on the private key which we already have.

Generate a CSR from an Existing Certificate and Private key

Here we can generate or renew an existing certificate where we miss the CSR file due to some reason. Here, the CSR will extract the information using the .CRT file which we have.

Below is the example for generating –

Putty generate ssh key aws. Where -x509toreq is specified that we are using the x509 certificate files to make a CSR.

Generating a Self-Singed Certificates

Here we will generate the Certificate to secure the web server where we use the self-signed certificate to use for development and testing purpose.

Here, we generate self-signed certificate using –x509 option, we can generate certificates with a validity of 365 days using –days 365 and a temporary .CSR files are generated using the above information.

Viewing the Certificates Files

Please note that, CSR files are encoded with .PEM format (which is not readable by the humans). This is required to view a certificate. In this section, we can cover the OpenSSL commands which are encoded with .PEM files.

Viewing CSR Files Entires

The below command will be used to view the contents of the .CRT files Ex (domain.crt) in the plain text format.

Working with Private Keys

In this section, will see how to use OpenSSL commands that are specific to creating and verifying the private keys.

Create a Private Key

Below is the command to create a password-protected and, 2048-bit encrypted private key file (ex. domain.key) –

Enter a password when prompted to complete the process.

Verify a Private Key

Below is the command to check that a private key which we have generated (ex: domain.key) is a valid key or not

If the private key is encrypted, you will be prompted to enter the pass phrase. Upon the successful entry, the unencrypted key will be the output on the terminal.

In this article, we have learnt some commands and usage of OpenSSL commands which deals with SSL certificates where the OpenSSL has lots of features. We will learn more features and usage in the future. https://mallnew.weebly.com/blog/download-mac-os-installer-mojave. I hope this article will help us to understand some basic features of the OpenSSL.

Transferring an SSL Certificate from a Windows server to an Apache Server

Public Private Key Encryption

These instructions explain how to export an SSL certificate installed on a Microsoft server for importing to an Apache server. The SSL certificate file is exported as a .crt and .key file and includes the intermediate certificate. If you need your SSL certificate in a .pfx format, please see DigiCert Certificate Utility SSL Certificate Export Instructions (PFX Format).

Background

Apache servers split the SSL certificate parts into two separate files: .crt and .key files. The .crt file contains the public key file (SSL certificate file), and the .key file contains the associated private key. DigiCert provides your SSL certificate file (public key file). You use your server to generate the associated private key file as part of the CSR. You need both the public and private keys for an SSL certificate to function.

Windows servers use .pfx files that contain the public key file (SSL certificate file) and the associated private key file. So, if transferring your SSL certificates from a Windows server to Apache, you need to export the certificate in an Apache compatible format, which splits the public (.crt) and private (.key) files.

Export Prerequisites

To export your certificate .crt file and its .key file for apache, the SSL certificate and its corresponding private key must be on the same computer/workstation. You may need to import the certificate to the computer that has the associated private key stored on it. (e.g., the laptop/desktop computer where you created the CSR) before you can successfully export the .crt and .key files.

For help importing the certificate, see SSL Certificate Importing Instructions: DigiCert Certificate Utility.

Domain.com Crt Generate Private Key From Crt File

How to Export Your SSL Certificate w/Private Key Using the DigiCert Certificate Utility

1. On your Windows Server from which you want to export the SSL certificate, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).

2. Run the DigiCert® Certificate Utility for Windows (double-click DigiCertUtil).

3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the certificate that you want to export as a .pfx file, and then click Export Certificate.

4. In the Certificate Export wizard, select Yes, export the private key, select key file (Apache compatible format), and then click Next.

   Note: If the Yes, export the private key option is grayed out (not unusable), the certificate's matching private key is not on that computer. This prevents you from being able to create the .key file for apache. To fix this problem, you will need to import the certificate to the same machine where the certificate's CSR was created. See Export Prerequisite.

5. In the File name box, click … to browse the location where you want to save your files.

6. In the Save As window, browse for and select the location where you want to save your .key and .crt files.

7. Provide a file name (i.e. your_domain_com.key) for your .key file, noting that your server .crt file will have the same name (i.e your_domain_com.crt).

8. Click Save.

9. In the Certificate Export wizard, click Finish.

   This exports the following files that you need to copy to your Apache server:

   Private Key:your_domain_com.key
   Server Certificate:your_domain_com.crt
   Intermediate Certificate:DigiCertCA.crt

10. After you receive the 'Your certificate and key have been successfully exported' message, click OK.

Private Key Definition

Enable Certificate Files on Apache and Other Servers Using Apache Format

To enable these certificate files in Apache or other Server types that use SSL certificate files in Apache format, you need to follow the instructions for that particular server type:

For other server types that use certificate files in Apache format, please see SSL Certificate Installation Instructions & Tutorials to find the SSL certificate installation instructions for your server type.

Test Your Installation

To verify that the installation is correct, use our DigiCert® SSL Installation Diagnostics Tool and enter the DNS name of the site (i.e. www.yourdomain.com, or mail.yourdomain.com) that you are securing to test your SSL certificate.

Apache SSL Certificates, Guides, & Tutorials

Buy NowLearn More

Advantages Of Private Key Encryption