OpenSSL: How to Generate Signed Certificate and Keys

In this article we will see how we can use the OpenSSL library command line tool to generate a self-signed certificate. As known, the OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers. (cf: wikipedia)

Step 1 — Check That OpenSSL Is Installed On Your Machine

OpenSSL is basically our command line tool and it’s open source and it’s available for both Windows and Linux right now I’m on my linux machine so if you don’t have openSSL installed on your machine make sure -you to download and configure it first, you can download it from the official side of openSS at this link: openssl-src

Once you have launched openSSL on your machine, you can check by running this command which will display the version of the openSSL library if it is installed:

➜ openssl version   
LibreSSL 2.8.3

Step 2 — How To Generate A Key Pair With OpenSSL ?

Once you get the confirmation that openSSL is properly configured and available on your machine now, we can proceed with the steps we detailed earlier in our plan:

Carry out the first important thing which is to generate the key pair, to do so we will use this command:

➜ openssl genrsa -out freecoder-ssltuto.key 2048

Using this command, I generate the key-pair with the RSA algorithm and with 2048 bit encoding and will be generated in a file named: freecoder-ssltuto.key.

Step 3 — How To Extract A Public Key From The Key Pair Using OpenSSL ?

Now, we are going to see how to extract a public key from the key pair (key-pair) because the key pair contains both the private key as well as the public key, so if you need to extract a public key, it is the following command that we need to use:

➜ openssl rsa -in freecoder-ssltuto.key -pubout -out freecoder-ssltuto_public.key

This command takes different arguments:

  • (-in) the key-pair: freecoder-ssltuto.key 
  • (-pubout) used to generate the public key
  • (-out) the output public key file

Step 4 — How To Generate A Certificate Signing Request – CSR ?

1- We first create a pair of keys

2- We create a certificate signing request (CSR)

3- The CSR is then delivered to a CA certification authority which will provide you with signed certificates.

In order to simplify all of this, in this tutorial we are going to create a CSR, and then we will do it self-signed.

So starting by creating our CSR using the following command:

➜ openssl req -new  -key freecoder-ssltuto.key  -out freecoder-ssltuto.csr

-new: to create a new CSR file

-key: the key used to generate the CSR 

-out: the name of the output CSR file


It is very important to fill in all the information of your CSR before passing it to the CA for signature.

In our case, we did not complete all the requested fields as we will not be obtaining a certificate signed by a certification authority, but rather creating a self-signed certificate.

Step 5 — How To Generate Self-Signed Certificates ?

For self-signature we will have to use the following command:

➜ openssl x509 -in freecoder-ssltuto.csr -out freecode-ssltuto.crt -req -signkey freecoder-ssltuto.key -days 365
  • X509: utility to sign a certificate
  • -in: file to be self-signed with the private key
  • -req -signkey: command to define the private key that will be used for self-signature.



OpenSSL is a robust, complex, and comprehensive network library. Although this article only covers a small portion of the functionality it provides, these are common and important operations performed by system administrators, and it remains an excellent foundation for new developers. In a separate article, we have covered an advanced approaches.

Default image

With 15+ years in low-level development, I'm passionate about crafting clean, maintainable code.

I believe in readable coding, rigorous testing, and concise solutions.

Articles: 20