OpenSSL is the standard command-line toolkit for working with certificates, keys, and SSL/TLS
infrastructure. As a system administrator, you will use it to generate private keys, create
certificate signing requests, issue self-signed certificates, and convert between certificate
formats. This guide covers the full workflow with practical examples.
Quick Answer
The standard certificate workflow in four commands:
# Step 1 — Generate a private key
openssl genrsa -out server.key 2048
# Step 2 — Create a Certificate Signing Request
openssl req -new -key server.key -out server.csr
# Step 3a — Self-signed certificate (for internal use)
openssl req -x509 -key server.key -in server.csr -out server.crt -days 365
# Step 3b — Or submit the CSR to a Certificate Authority
# The CA will return a signed .crt fileKey Concepts
Before running commands, it helps to understand what each file type is.
Private Key (.key or .pem)
A secret file generated on your server. It must never leave the server. Everything else (CSR, certificate) is derived from it.
Certificate Signing Request (.csr)
A file you generate from your private key. It contains your identity information (domain name, organization, country) and your public key. You submit this to a Certificate Authority (CA) to get a signed certificate.
Certificate (.crt or .pem)
The signed file returned by a CA, or generated locally as self-signed. This is what your web server presents to clients.
Certificate Authority (CA)
A trusted entity (Let’s Encrypt, DigiCert, or your own internal CA) that verifies your identity and signs your certificate. Browsers and operating systems trust certificates signed by known CAs.
Generating a Private Key
RSA Key (most common)
Generate a standard 2048-bit RSA private key:
openssl genrsa -out server.key 2048For higher security environments, use 4096 bits:
openssl genrsa -out server.key 4096To generate an encrypted key (will prompt for a passphrase):
openssl genrsa -out server.key -aes256 2048Note: Encrypted keys require the passphrase every time the service starts. For automated services (web servers, load balancers) this is often impractical. Use unencrypted keys on secured servers with proper file permissions.
Elliptic Curve Key (EC)
EC keys provide equivalent security with smaller key sizes. Use for modern deployments:
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -out server.keyRecommended curves: prime256v1, secp384r1, secp521r1
Creating a Certificate Signing Request (CSR)
A CSR contains your public key and identity fields known as the Subject Distinguished Name (DN).
Interactive CSR (prompts for each field)
openssl req -new -key server.key -out server.csrOpenSSL will ask for:
| Field | Example | Notes |
|---|---|---|
| Country Name (C) | US | Two-letter ISO code |
| State or Province (ST) | California | Full name |
| Locality (L) | San Francisco | City |
| Organization (O) | ACME Corp | Company or department |
| Organizational Unit (OU) | IT | Optional |
| Common Name (CN) | server.example.com | Domain name or hostname |
| Email Address | admin@example.com | Optional |
Non-interactive CSR (with -subj flag)
Useful for scripting and automation:
openssl req -new -key server.key -out server.csr \
-subj "/C=US/ST=California/L=San Francisco/O=ACME Corp/CN=server.example.com"Generate Key and CSR in One Step
openssl req -new -newkey rsa:2048 -nodes -out server.csr \
-subj "/CN=server.example.com"The -nodes flag means “no DES” — the key will not be encrypted.
Inspecting a CSR
Always verify a CSR before submitting it to a CA:
openssl req -in server.csr -noout -textCheck these fields in the output:
Subject— verify domain name (CN) is correctPublic Key Algorithm— RSA or ECKey Size— should be 2048 or higher for RSA
Generating a Self-Signed Certificate
Self-signed certificates are useful for:
- internal services and intranets
- development and testing environments
- internal CA infrastructure
From an existing key and CSR
openssl req -x509 -key server.key -in server.csr -out server.crt -days 365In one command (key + certificate together)
openssl req -x509 -newkey rsa:2048 -nodes \
-keyout server.key -out server.crt -days 365 \
-subj "/CN=server.example.com"The -days value sets the validity period. Common values:
| Period | Days |
|---|---|
| 1 year | 365 |
| 2 years | 730 |
| 5 years | 1825 |
Note: Browsers show warnings for self-signed certificates. For production public-facing
services, always use a trusted CA.
Signing with a Certificate Authority
If you have a certificate from a CA (Let’s Encrypt, internal PKI, etc.), the workflow is:
- Generate your private key
- Generate a CSR
- Submit the CSR to the CA
- Receive the signed
.crtfile back - Install both the
.keyand.crton your server
For internal CA environments (Windows CA or OpenSSL CA), you submit the CSR through your organization’s CA interface or CLI.
Inspecting Certificates
View certificate details
openssl x509 -in server.crt -noout -textView specific fields only
# Validity dates
openssl x509 -in server.crt -noout -dates
# Subject and Issuer
openssl x509 -in server.crt -noout -issuer -subject
# Subject Alternative Names (SANs)
openssl x509 -in server.crt -noout -ext subjectAltNameCheck if a key matches a certificate
A common troubleshooting task — verifying that the private key belongs to the certificate.
For RSA — compare the modulus values (they must match):
openssl rsa -in server.key -noout -modulus
openssl x509 -in server.crt -noout -modulusFor EC — compare the public key values:
openssl ec -in server.key -pubout
openssl x509 -in server.crt -noout -pubkeyFile Formats: PEM, DER, PFX
OpenSSL works with three common certificate formats.
| Format | Extension | Description |
|---|---|---|
| PEM | .pem, .crt, .key | Base64-encoded text. Most common on Linux/Apache/Nginx. |
| DER | .der, .cer | Binary format. Used on Java systems and some Windows scenarios. |
| PFX / PKCS#12 | .pfx, .p12 | Container format. Contains cert + private key. Used on Windows/IIS. |
Convert PEM to DER
openssl x509 -in server.crt -outform DER -out server.derConvert DER to PEM
openssl x509 -in server.der -inform DER -out server.crtConvert PEM to PFX (for Windows/IIS)
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfxYou will be prompted to set an export password.
Extract private key from PFX
openssl pkcs12 -in server.pfx -out server.key -nodes -nocertsExtract certificate from PFX
openssl pkcs12 -in server.pfx -out server.crt -nodes -clcertsTips and Common Mistakes
Mismatched key and certificate
The most common issue when installing certificates. Always verify the modulus (RSA) or publi key (EC) matches between your .key and .crt files before deploying.
Wrong Common Name
The CN must exactly match the hostname users will access. For multi-domain certificates, use Subject Alternative Names (SANs), not multiple CNs.
Expired certificates
Always check validity dates before deploying:
openssl x509 -in server.crt -noout -datesPrivate key with passphrase on automated services
If your key is encrypted and your web server can’t start automatically after a reboot, remove the passphrase:
openssl rsa -in encrypted.key -out server.keyWrong file format for the target platform
Linux services expect PEM. Windows IIS typically expects PFX. Java keystores use JKS or DER.
Always check what format the target platform requires.
File permissions on private keys
Private key files must be readable only by the service account. On Linux:
chmod 600 server.keyRelated Tools
- OpenSSL Commands Cheat Sheet — quick reference for all common OpenSSL commands
Related Guides
- What is a Certificate Authority and how PKI works
- How to install an SSL certificate on Nginx
- How to install an SSL certificate on Apache
- How to renew certificates with Let’s Encrypt (Certbot)
- How to manage certificates in Windows Certificate Store