Creating digital certificates with OpenSSL is a foundational skill for securing web services, APIs, and internal infrastructure. This guide walks through the most common commands and configurations needed to generate reliable certificate authority (CA) materials and server certificates.
OpenSSL provides a flexible command-line toolkit that lets you control subject details, key sizes, extensions, and validity periods. Understanding these options helps you align certificates with organizational policies and compliance requirements.
| Key Size | Signature Algorithm | Validity (days) | Typical Use Case |
|---|---|---|---|
| 2048-bit RSA | SHA-256 with RSA | 365 | Legacy systems, internal PKI |
| 4096-bit RSA | SHA-384 with RSA | 730 | Long-term root CAs, high-assurance scenarios |
| 256-bit EC | SHA-256 with ECDSA | 365 | Web servers, mobile apps, performance-sensitive services |
| 384-bit EC | SHA-384 with ECDSA | 730 | High-security web services, TLS termination |
Generate a Private Key and Self-Signed Certificate
Start by creating a private key and a corresponding self-signed certificate in a single step. This pattern is useful for testing, development, and intermediate certificate signing operations.
The command specifies the key algorithm, size, and output format, then produces a certificate with customizable subject fields. You define the organization, common name, and validity window directly in the command or configuration file.
Subject Alternative Names and Extensions
When securing modern services, you must include Subject Alternative Names (SAN) and key usage extensions. These extensions ensure the certificate works correctly with browsers, Kubernetes, and API clients.
Use an OpenSSL configuration file to cleanly manage SAN lists, key purposes, and extended key usage values. This approach reduces command-line complexity and makes reuse easier across multiple certificates.
Build a Private Root Certificate Authority
A private root CA lets you sign server and client certificates for internal services. You first generate a strong root key, carefully protect it, and then produce a self-signed root certificate.
This root certificate becomes the anchor for your internal PKI. Servers and clients that trust this root will automatically trust any certificates you sign with your private key.
Root CA Configuration Best Practices
Use a separate OpenSSL configuration file to define distinguished name fields, certificate extensions, and policy settings. Keep the root key offline and access-controlled, and reserve it for signing operations only.
Issue a Certificate Signing Request and Produce a Signed Server Certificate
In production environments, you typically generate a Certificate Signing Request (CSR) on the server where the certificate will be used. The CSR contains the public key and subject details without exposing the private key.
You then submit the CSR to your private CA or a public Certificate Authority. The CA signs the CSR and returns a server certificate that you install alongside the original private key.
Key Options and Extensions for Servers
Choose between RSA and EC keys based on your performance and compatibility needs. For web servers, ECDSA keys with P-384 provide strong security and broad modern support.
Include extended key usage for server authentication, and set basic constraints appropriately. Properly limit certificate paths and define key usage flags to follow least-privilege principles.
Secure Key Management and Renewal Workflows
Managing private keys and certificates at scale requires automation, monitoring, and secure storage. Plan for rotation, revocation, and recovery so that service disruptions are unlikely even when keys expire.
Use hardware security modules or key management services where possible, and audit access to key material. Automated renewal pipelines help you avoid expired certificates and reduce manual errors.
Operational Best Practices for Certificate Lifecycle Management
- Store root keys in offline, hardware-backed storage and limit their use to signing operations.
- Automate renewal pipelines with scripts or tools and monitor expiration dates centrally.
- Maintain a revocation strategy using CRLs or OCSP and keep CA certificates consistent across environments.
- Document key sizes, signature algorithms, and SAN policies to ensure consistency across services.
- Separate test, staging, and production PKI so that experiments do not affect customer trust.
FAQ
Reader questions
How can I check the details of an existing certificate file?
Use openssl x509 -in cert.pem -text -noout to view the subject, issuer, validity, and extensions in human-readable form.
What is the safest way to protect a private key with a passphrase?
Generate the key with openssl genpkey and -aes-256-cbc or similar, then store the passphrase in a secrets manager accessible only to authorized automation.
How do I create a certificate that includes multiple SAN entries?
Define a configuration file with a [req] section and a [v3_ext] section listing DNS, IP, and URI SAN values, then reference it during signing.
Can I convert a PEM certificate into PFX for use on Windows servers?
Yes, use openssl pkcs12 -export with the private key, certificate, and any CA chain to produce a PFX file that Windows services can import.