How to Use Openssl to Create Keys, CSR and Cert Bundle, Review and Verify and Install

There are number of tools available to create SSL/TLS key pair and CSR. Here I'm going to use openssl.

1. Let's first create a key pair

In this example, we are creating a key of type RSA with 2048-bit key length.  It is recommended that you create a password protected private key.

# Create a plain text key pair (private and public keys) openssl genrsa -out myserver.key 2048 # if you need, extract the public key from the one generated above openssl rsa -in myserver.key -pubout > myserver.pub # Create password protected (encrypted with aes128/aes256) openssl genrsa -aes128 -passout pass:<password> -out enc-myserver.key 2048 # Encrypt existing plain text private key openssl rsa -aes128 -in myserver.key -passout pass:<password> -out enc-myserver.key

2. Let's create a CSR. 

Openssl allows to provide input information using a openssl configuration file while creating a CSR. Good thing about the configuration file is that it can be stored in the version control system like git and re-used. Look the config file example below. Let's call it mycsr.cnf

[ req ] defaults_bits = 2048 distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [ req_distinguished_name ] countryName = CA stateOrProvinceName = Ontario localityName = Toronto organizationName = IT OU = ITWork commonName = myexampleserver.ca [ v3_req ] basicConstraints = CA:false keyUsage = Digital Signature, Key Encipherment extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication subjectAltName = @alt_names [alt_names] DNS.1 = my1stdns.com DNS.2 = my2nddns.com DNS.3 = my3rddns.com

Here we are using mycsr.cnf to feed the necessary information required to create the CSR. Since we are using encrypted key, let's pass the password using option -passin pass:<password>. If you don't use the -passin option, it will prompt you for the password. Here, it will generate the myserver.csr

openssl req -new -key enc-myserver.key -passin pass:<password> -out myserver.csr -config mycsr.cnf

Note: you can also generate CSR using the existing private key and existing certificate. See the commands below. Openssl prior to version 3.x, may not support the '-copy_extensions copyall'.

openssl x509 -x509toreq [-copy_extensions copyall] -in <existing certificate>.crt -signkey <existing private key> -out myserver.csr

Review the generated CSR. In the example below, we are verifying the mycsr.csr created above.

openssl req -noout -text -in mycsr.csr

3. Send your CSR to CA and Get the Signed Certs

Once your Certificate Authority (CA) receives the CSR, they process it and may send a link from where signed certificate(s) can be downloaded. The provided link may contain download options for Root CA cert, one or more intermediate cert(s) and server/domain cert. Depending upon how and for which server/application you are installing certificate, you may want to create a single PEM file from all provided certs. Here is how you can do it:

cat server.crt intermediate.crt rootca.crt >> cert-bundle.pem

Notes:

1. make sure the certificate file are in PEM format. In order to check, just open the file in text editor like Notepad++ and see if it starts with -----BEGIN and content is in 'ASCII'. Certs can be converted from other format to PEM using openssl commands as follows:
   
   

   # Convert DER to PEM openssl x509 -in mycert.der -out mycert.pem # Convert CER to PEM openssl x509 -in mycert.cer -out mycert.pem # Convert CRT to PEM: openssl x509 -in mycert.crt -out mycert.pem




2. Open the merged file cert-bundle.pem above in text editor and make sure that each -----BEGIN is in new line.
3. If you are not able to install the password protected key, remove the password as follows:
   
   

   openssl rsa -in enc-myserver.key -passin pass:<password>=> -out myserver.key

4. Install and Verify your Certificate

Installation really depends on what your target server/application is. Here I'm showing a quick example for nginx. Here is a configuration snippet to enable SSL/TLS for nginx:

server {          listen       443 ssl;          server_name  myexampleserver.ca;          ssl_certificate      <cert-location>/ssl-bundle.crt;          ssl_certificate_key  <cert-location>/enc-myserver.key;  ssl_password_file    <path-to-password-file>/key.pass;          ssl_session_cache    shared:SSL:1m;          ssl_session_timeout  5m;          ssl_ciphers  HIGH:!aNULL:!MD5;          ssl_prefer_server_ciphers  on;          location / {              root   html;              index  index.html index.htm;          }      }

Once the configuration is updated, start the nginx and access default page in the browser like 'https://myexampleserver.ca'

5. [Optional] Create .p12 key store for your Keys and Certs 

 PKCS 12 is a industry standard for storing many cryptography objects in a single file. Here is how you can create a PKCS 12 archive.

# openssl pkcs12 -export -in CertPath.cer [-certfile ssl-bundle.crt] -inkey privateKeyPath.key [-passin pass:<private key password>] -passout pass:<.p12 file password> -out key.p12 openssl pkcs12 -export -in ssl-bundle.crt -inkey enc-myserver.key -passin pass:<private key password> -passout pass:<p12 certstore password> -out mycertarchive.p12

Notes: 

1. if the file passed using option -infile/in has both certs and private key, then -inkey option is not required. 
2. if the file passed using option -infile/in has all the certs (including the server, intermediate, and rootca) included, then the -certfile option is not required. Usually the practice is to pass server cert file using -infile/in option, private key using -inkey option and rootCA, intermediate certs using -certfile option.

6. [Optional] Use .p12 with Java Keytool or KeyStore Explorer (KSE) 

You can open the .p12 file directly into KSE and use KSE functionalities. You can use the Java keytool as well. Here is an example of listing certs using Java keytool:

1. List certs using keytool
   

   keytool -v -list -storetype pkcs12 -keystore mycertarchive.p12




2. Convert to JKS if necessary. You'll be prompted for passwords
   

   #keytool -importkeystore -srckeystore <.p12 file> -srcstoretype pkcs12 -destkeystore <.jks file> -deststoretype JKS keytool -importkeystore -srckeystore mycertarchive.p12 -srcstoretype pkcs12 -destkeystore mycertarchive.jks -deststoretype JKS