Search Authority

Master OpenSSL Creating Certificate: A Step-by-Step Guide

Creating digital certificates with OpenSSL is a foundational skill for securing web services, APIs, and internal infrastructure. This guide walks through the most common command...

Mara Ellison Jul 11, 2026
Master OpenSSL Creating Certificate: A Step-by-Step Guide

Creating digital certificates with OpenSSL is a foundational skill for securing web services, APIs, and internal infrastructure. This guide walks through the most common commands and configurations needed to generate reliable certificate authority (CA) materials and server certificates.

OpenSSL provides a flexible command-line toolkit that lets you control subject details, key sizes, extensions, and validity periods. Understanding these options helps you align certificates with organizational policies and compliance requirements.

Key Size Signature Algorithm Validity (days) Typical Use Case
2048-bit RSA SHA-256 with RSA 365 Legacy systems, internal PKI
4096-bit RSA SHA-384 with RSA 730 Long-term root CAs, high-assurance scenarios
256-bit EC SHA-256 with ECDSA 365 Web servers, mobile apps, performance-sensitive services
384-bit EC SHA-384 with ECDSA 730 High-security web services, TLS termination

Generate a Private Key and Self-Signed Certificate

Start by creating a private key and a corresponding self-signed certificate in a single step. This pattern is useful for testing, development, and intermediate certificate signing operations.

The command specifies the key algorithm, size, and output format, then produces a certificate with customizable subject fields. You define the organization, common name, and validity window directly in the command or configuration file.

Subject Alternative Names and Extensions

When securing modern services, you must include Subject Alternative Names (SAN) and key usage extensions. These extensions ensure the certificate works correctly with browsers, Kubernetes, and API clients.

Use an OpenSSL configuration file to cleanly manage SAN lists, key purposes, and extended key usage values. This approach reduces command-line complexity and makes reuse easier across multiple certificates.

Build a Private Root Certificate Authority

A private root CA lets you sign server and client certificates for internal services. You first generate a strong root key, carefully protect it, and then produce a self-signed root certificate.

This root certificate becomes the anchor for your internal PKI. Servers and clients that trust this root will automatically trust any certificates you sign with your private key.

Root CA Configuration Best Practices

Use a separate OpenSSL configuration file to define distinguished name fields, certificate extensions, and policy settings. Keep the root key offline and access-controlled, and reserve it for signing operations only.

Issue a Certificate Signing Request and Produce a Signed Server Certificate

In production environments, you typically generate a Certificate Signing Request (CSR) on the server where the certificate will be used. The CSR contains the public key and subject details without exposing the private key.

You then submit the CSR to your private CA or a public Certificate Authority. The CA signs the CSR and returns a server certificate that you install alongside the original private key.

Key Options and Extensions for Servers

Choose between RSA and EC keys based on your performance and compatibility needs. For web servers, ECDSA keys with P-384 provide strong security and broad modern support.

Include extended key usage for server authentication, and set basic constraints appropriately. Properly limit certificate paths and define key usage flags to follow least-privilege principles.

Secure Key Management and Renewal Workflows

Managing private keys and certificates at scale requires automation, monitoring, and secure storage. Plan for rotation, revocation, and recovery so that service disruptions are unlikely even when keys expire.

Use hardware security modules or key management services where possible, and audit access to key material. Automated renewal pipelines help you avoid expired certificates and reduce manual errors.

Operational Best Practices for Certificate Lifecycle Management

  • Store root keys in offline, hardware-backed storage and limit their use to signing operations.
  • Automate renewal pipelines with scripts or tools and monitor expiration dates centrally.
  • Maintain a revocation strategy using CRLs or OCSP and keep CA certificates consistent across environments.
  • Document key sizes, signature algorithms, and SAN policies to ensure consistency across services.
  • Separate test, staging, and production PKI so that experiments do not affect customer trust.

FAQ

Reader questions

How can I check the details of an existing certificate file?

Use openssl x509 -in cert.pem -text -noout to view the subject, issuer, validity, and extensions in human-readable form.

What is the safest way to protect a private key with a passphrase?

Generate the key with openssl genpkey and -aes-256-cbc or similar, then store the passphrase in a secrets manager accessible only to authorized automation.

How do I create a certificate that includes multiple SAN entries?

Define a configuration file with a [req] section and a [v3_ext] section listing DNS, IP, and URI SAN values, then reference it during signing.

Can I convert a PEM certificate into PFX for use on Windows servers?

Yes, use openssl pkcs12 -export with the private key, certificate, and any CA chain to produce a PFX file that Windows services can import.

Related Reading

More pages in this topic cluster.

Baby Growth Spurts: Navigating Rapid Developmental Leaps

Baby growth spurts are rapid increases in weight and length that can transform a sleepy newborn into a more demanding, fussier feeder almost overnight. These short but intense p...

Read next
Olecranon Process Anatomy: The Elbow's Key Bone Structure

The olecranon process is the prominent bony point of the elbow, forming the upper extremity of the ulna. It functions as a lever arm that transmits forces from the triceps muscl...

Read next
Mastering Economics Current Account: Balance, Trade & Prosperity

The economics current account captures a nation's net transactions with the rest of the world, including trade in goods and services, primary income, and secondary transfers. Un...

Read next