SSL/TLS Certificate Cheat Sheet

I need to overhaul this to become a cheat sheet.

Also, I just found out about, and I need to try them out (and donate if I like them).

The usual order of things when establishing a new site is to ...

  1. Create a private key
  2. Create a Certificate Signing Request (CSR)
  3. Submit the CSR to a Certification Authority (CA)
  4. Receive a signed certificate from the CA
  5. Install the key and certificate on the server

If you are making a certificate for your own purposes and don't need it signed (you can store exceptions for your own certificate), then ...

  1. Create a private key
  2. Create a self-signed certificate
  3. Install the key and certificate on the server

Unless otherwise specified, certificate and key files are in X.509 PEM format. Apache httpd uses this format.

Create (Private) Key

This creates a 2048-bit RSA key (with no password protection).

openssl genrsa -out ${NAME}.key 2048

Create Certificate Signing Request (CSR)

To get a signed certificate from a Certification Authority, you must create and submit a CSR. This command creates one with SHA-256.

You will be prompted for the identity information to include in the certificate. For web sites, it is important that the "Common Name" matches the FQDN of the site.

openssl req -new -sha256 -key ${NAME}.key -out ${NAME}.csr

Create Self-Signed Certificate

If you don't need your certificate signed by Certification Authority, you can just create a self-signed certificate from your key. This command creates a self-signed certificate that expires in ten years.

You will be prompted for the identity information to include in the certificate. For web sites, it is important that the "Common Name" matches the FQDN of the site.

openssl req -new -x509 -key ${NAME}.key -out ${NAME}.crt -days 3650

Display Certificate Signing Request (CSR)

To display the contents of a CSR:

openssl req -in ${NAME}.csr -text -noout | more

Display Certificate

To display the contents of a certificate:

openssl x509 -in ${NAME}.crt -text -noout | more

Check Private Key

If for some reason you want to check the validity of a private key, you can use this command.

openssl rsa -in ${NAME}.key -check

Convert PFX/P12 to PEM and Private Key

This command converts a PFX file to PEM format. It's important to note that the output file will contain the private key and all of the certificates. This probably can't be used directly by Apache httpd, and it also makes it impossible to set file security appropriatly for the private key versus the public certificates. You can use a text editor to divide up the pieces.

openssl pkcs12 -in ${NAME}.pfx -out ${NAME}.crt+key -nodes

Alternatively, you can execute separate commands to extract each component. If there are multiple CA certificates, they will all end up in the output file of the last command.

openssl pkcs12 -in ${NAME}.pfx -out ${NAME}.key -nodes -nocerts
openssl pkcs12 -in ${NAME}.pfx -out ${NAME}.crt -nodes -clcerts -nokeys
openssl pkcs12 -in ${NAME}.pfx -out CAcert.crt -nodes -cacerts -nokeys

Convert PEM and Private Key to PFX/P12

This bundles up a private key, certificate, and CA certificate into a single PFX file.

openssl pkcs12 -export -out ${NAME}.pfx -inkey ${NAME}.key -in ${NAME}.crt -certfile CAcert.crt

Verify Match

To verify that the key matches the certificate and/or the CSR, execute the following. The md5 hashes should match.

openssl x509 -noout -modulus -in ${NAME}.crt | openssl md5
openssl rsa -noout -modulus -in ${NAME}.key | openssl md5
openssl req -noout -modulus -in ${NAME}.csr | openssl md5

Okay, so I create SSL certificates infrequently enough that I can't just remember the procedure and syntax for doing so. However, I do it often enough to warrant a web page on the subject -- especially since the places I currently refer to may go away some day.

To be clear, this procedure is for Apache with mod_ssl. It is also good for other things that use the OpenSSL library (like IMAP-UW).

Creating an SSL Key and CSR

Okay, I normally do this in the /usr/local/certs directory. The steps I follow are to:

  1. Select a passphrase for the key, and because I'll never use it again, store it in a little text file with a .pw extension
  2. Create the private key
  3. Create a version of the private key that doesn't contain the passphrase, since I don't want to manually type passphrases every time the web server is started
  4. Create a Certificate Signing Request (CSR)

The only trick to this is that, when creating the CSR, the "Common Name" must be the FQDN of the web site it will be associated with. For example, if the certificate will be used at "", the Common Name should be set to "".

The CSR is sent to the signing authority, and they sign it and send back a certificate.

Below are the exact steps I follow when I do this (replace "server" with a name associated with your web site):

openssl genrsa -des3 -out 1024
openssl rsa -in -out server.key
openssl req -new -key server.key -out server.csr

Self-Signed Certificates

NOTE: See the "simple" instructions below. I may have been doing this the hard way for many, many years.

To sign your own certificates, you need to create a Certificate Authority. You should only have to do this once (well, every 365 days perhaps).

openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Note that there is nothing magic about 365. If you don't want to mess with this every year, you can sign it for a much larger number of days.

If you already have a ca.crt, you can use the script to sign CSRs. The script is found in the mod_ssl source distribution, and I normally stick it in /usr/local/bin for ease of use. The script signs the CSR and outputs a server.csr file. server.csr

Apache Configuration

Yeah, I should probably write about how to reference the files from Apache, but I'm too lazy, and there should be good examples in the config file already. Maybe later.


There is a FAQ over at which has some good information about certificates and using the openssl utility.

Simple Self-Signed Certificates?

Could it really be this simple?

openssl genrsa -out server.key 2048
openssl req -new -x509 -key server.key -out server.cert -days 3650

Be sure to supply the FQDN of the web site when asked for the Common Name.