RESOURCES
- AUSTOR NAS – CREATING CERT
- https://support.asustor.com/index.php?/Knowledgebase/Article/View/166/22/how-to-genertate-a-self-signed-certificate-for-asustor-nas
- FOR MAC: https://support.asustor.com/index.php?/Default/Knowledgebase/Article/View/216/22/how-to-genertate-a-self-signed-certificate-for-asustor-nas-on-mac<
-
- MORE TUTORIALS
- https://www.ssls.com/knowledgebase/how-can-i-find-the-private-key-for-my-ssl-certificate/
- https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs
- DANGER:::::
- Cryptography Toolkit
A web-based collection of cryptography tools for schemes/algorithms used in Bitcoin and LND.
https://github.com/guggero/cryptography-toolkit
https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
OpenSSL Quick Reference Guide
Learn how to use the most common OpenSSL commands
OpenSSL is an open-source command line tool that is commonly used to generate private keys, create CSRs, install your SSL/TLS certificate, and identify certificate information. We designed this quick reference guide to help you understand the most common OpenSSL commands and how to use them.
This guide is not meant to be comprehensive. If you're looking for a more in-depth and comprehensive look at OpenSSL, we recommend you check out the by Ivan Ristić.
Guide Notes: Ubuntu 16.04.3 LTS was the system used to write this guide.
Some command examples use a '**' (backslash) to create a line break to make them easier to understand.
If you don't have the time to get into the nitty-gritty of OpenSSL commands and CSR generation, or you want to save some time, check out our OpenSSL CSR Wizard.
Checking Your OpenSSL Version
Identifying which version of OpenSSL you are using is an important first step when preparing to generate a private key or CSR. Your version of OpenSSL dictates which cryptographic algorithms can be used when generating keys as well as which protocols are supported. For example, OpenSSL version 1.0.1 was the first version to support TLS 1.1 and TLS 1.2. Knowing which version of OpenSSL you are using is also important when getting help troubleshooting problems you may run into.
Use the following command to identify which version of OpenSSL you are running:
openssl version -a
In this command, the -a switch displays complete version information, including:
- The version number and version release date (OpenSSL 1.0.2g 1 Mar 2016).
- The options that were built with the library (options).
- The directory where certificates and private keys are stored (OPENSSLDIR).
Using the openssl version -a command, the following output was generated:
**OpenSSL 1.0.2g 1 Mar 2016** built on: reproducible build, date unspecified platform: debian-amd64 **options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)** compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS - D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector- strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,- Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int - DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 - DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM - DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM **OPENSSLDIR: "/usr/lib/ssl"**
OpenSSL and CSR Creation
The first step to obtaining an SSL certificate is using OpenSSL to create a certificate signing request (CSR) that can be sent to a Certificate Authority (CA) (e.g., DigiCert). The CSR contains the common name(s) you want your certificate to secure, information about your company, and your public key. In order for a CSR to be created, it needs to have a private key from which the public key is extracted. This can be done by using an existing private key or generating a new private key.
Security Note: Because of the security issues associated with using an existing private key, and because it's very easy and entirely free to create a private key, we recommend you generate a brand new private key whenever you create a CSR.
Deciding on Key Generation Options
When generating a key, you have to decide three things: the key algorithm, the key size, and whether to use a passphrase.
Key Algorithm
For the key algorithm, you need to take into account its compatibility. For this reason, we recommend you use RSA. However, if you have a specific need to use another algorithm (such as ECDSA), you can use that too, but be aware of the compatibility issues you might run into.
Note: This guide only covers generating keys using the RSA algorithm.
Key Size
For the key size, you need to select a bit length of at least 2048 when using RSA and 256 when using ECDSA; these are the smallest key sizes allowed for SSL certificates. Unless you need to use a larger key size, we recommend sticking with 2048 with RSA and 256 with ECDSA.
Note: In older versions of OpenSSL, if no key size is specified, the default key size of 512 is used. Any key size lower than 2048 is considered unsecure and should never be used.
Passphrase
For the passphrase, you need to decide whether you want to use one. If used, the private key will be encrypted using the specified encryption method, and it will be impossible to use without the passphrase. Because there are pros and cons with both options, it's important you understand the implications of using or not using a passphrase. In this guide, we will not be using a passphrase in our examples.
Generating Your Private Key
After deciding on a key algorithm, key size, and whether to use a passphrase, you are ready to generate your private key.
Use the following command to generate your private key using the RSA algorithm:
openssl genrsa -out yourdomain.key 2048
This command generates a private key in your current directory named yourdomain.key (-out yourdomain.key) using the RSA algorithm (genrsa) with a key length of 2048 bits (2048). The generated key is created using the OpenSSL format called PEM.
Use the following command to view the raw, encoded contents (PEM format) of the private key:
cat yourdomain.key
Even though the contents of the file might look like a random chunk of text, it actually contains important information about the key.
Use the following command to decode the private key and view its contents:
openssl rsa -text -in yourdomain.key -noout
The -noout switch omits the output of the encoded version of the private key.
Extracting Your Public Key
The private key file contains both the private key and the public key. You can extract your public key from your private key file if needed.
Use the following command to extract your public key:
openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key
Creating Your CSR
After generating your private key, you are ready to create your CSR. The CSR is created using the PEM format and contains the public key portion of the private key as well as information about you (or your company).
Use the following command to create a CSR using your newly generated private key:
openssl req -new -key yourdomain.key -out yourdomain.csr
After entering the command, you will be asked series of questions. Your answers to these questions will be embedded in the CSR. Answer the questions as described below:
Country Name (2 letter code) | The two-letter country code where your company is legally located. |
---|---|
State or Province Name (full name) | The state/province where your company is legally located. |
Locality Name (e.g., city) | The city where your company is legally located. |
Organization Name (e.g., company) | Your company's legally registered name (e.g., YourCompany, Inc.). |
Organizational Unit Name (e.g., section) | The name of your department within the organization. (You can leave this option blank; simply press Enter.) |
Common Name (e.g., server FQDN) | The fully-qualified domain name (FQDN) (e.g., www.example.com). |
Email Address | Your email address. (You can leave this option blank; simply press Enter.) |
A challenge password | Leave this option blank (simply press Enter). |
An optional company name | Leave this option blank (simply press Enter). |
Some of the above CSR questions have default values that will be used if you leave the answer blank and press Enter. These default values are pulled from the OpenSSL configuration file located in the OPENSSLDIR (see Checking Your OpenSSL Version). If you want to leave a question blank without using the default value, type a "." (period) and press Enter.
Using the -subj Switch
Another option when creating a CSR is to provide all the necessary information within the command itself by using the -subj switch.
Use the following command to disable question prompts when generating a CSR:
openssl req -new -key yourdomain.key -out yourdomain.csr \ -subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
This command uses your private key file (-key yourdomain.key) to create a new CSR (-out yourdomain.csr) and disables question prompts by providing the CSR information (-subj).
Creating Your CSR with One Command
Instead of generating a private key and then creating a CSR in two separate steps, you can actually perform both tasks at once.
Use the following command to create both the private key and CSR:
openssl req -new \ -newkey rsa:2048 -nodes -keyout yourdomain.key \ -out yourdomain.csr \ -subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
This command generates a new private key (-newkey) using the RSA algorithm with a 2048-bit key length (rsa:2048) without using a passphrase (-nodes) and then creates the key file with a name of yourdomain.key (-keyout yourdomain.key).
The command then generates the CSR with a filename of yourdomain.csr (-out yourdomain.csr) and the information for the CSR is supplied (-subj).
Note: While it is possible to add a subject alternative name (SAN) to a CSR using OpenSSL, the process is a bit complicated and involved. If you do need to add a SAN to your certificate, this can easily be done by adding them to the order form when purchasing your DigiCert certificate.
Verifying CSR Information
After creating your CSR using your private key, we recommend verifying that the information contained in the CSR is correct and that the file hasn't been modified or corrupted.
Use the following command to view the information in your CSR before submitting it to a CA (e.g., DigiCert):
openssl req -text -in yourdomain.csr -noout -verify
The -noout switch omits the output of the encoded version of the CSR. The -verify switch checks the signature of the file to make sure it hasn't been modified.
Running this command provides you with the following output:
**verify OK** Certificate Request: Data: Version: 0 (0x0) **Subject: C=US, ST=Utah, L=Lehi, O=Your Company, Inc., OU=IT, CN=yourdomain.com** Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bb:31:71:40:81:2c:8e:fb:89:25:7c:0e:cb:76: [...17 lines removed] Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 0b:9b:23:b5:1f:8d:c9:cd:59:bf:b7:e5:11:ab:f0:e8:b9:f6: [...14 lines removed]
On the first line of the above output, you can see that the CSR was verified (verify OK). On the fourth line, the Subject: field contains the information you provided when you created the CSR. Make sure this information is correct.
If any of the information is wrong, you will need to create an entirely new CSR to fix the errors. This is because CSR files are digitally signed, meaning if even a single character is changed in the file it will be rejected by the CA.
Sending the CSR to the CA
When you are ready to send the CSR to the CA (e.g., DigiCert), you need to do so using the PEM format—the raw, encoded text of the CSR that you see when opening it in a text editor.
Use the following command to view the raw output of the CSR:
cat yourdomain.csr
You must copy the entire contents of the output (including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines) and paste it into your DigiCert order form.
Ready to order your SSL certificate?
Viewing Certificate Information
After receiving your certificate from the CA (e.g., DigiCert), we recommend making sure the information in the certificate is correct and matches your private key. You do this by using the x509 command.
Use the following command to view the contents of your certificate:
openssl x509 -text -in yourdomain.crt -noout
Verifying Your Keys Match
To verify the public and private keys match, extract the public key from each file and generate a hash output for it. All three files should share the same public key and the same hash value.
Use the following commands to generate a hash of each file's public key:
openssl pkey -pubout -in .\private.key | openssl sha256``openssl req -pubkey -in .\request.csr -noout | openssl sha256``openssl x509 -pubkey -in .\certificate.crt -noout | openssl sha256
Note: The above commands should be entered one by one to generate three separate outputs.
Each command will output (stdin)= followed by a string of characters. If the output of each command matches, then the keys for each file are the same. However, if there is any mismatch, then the keys are not the same and the certificate cannot be installed.
Key mismatch errors are typically caused by installing a certificate on a machine different from the one used to generate the CSR. If you run into a key mismatch error, you need to do one of the following:
- Transfer the private key from the machine used to generate the CSR to the one you are trying to install the certificate on.
- Install the certificate on the machine with the private key.
- Generate an entirely new key and create a new CSR on the machine that will use the certificate.
Converting Certificate Formats
By default, OpenSSL generates keys and CSRs using the PEM format. However, there might be occasions where you need to convert your key or certificate into a different format in order to export it to another system.
PEM to PKCS#12
The PKCS#12 format is an archival file that stores both the certificate and the private key. This format is useful for migrating certificates and keys from one system to another as it contains all the necessary files. PKCS#12 files use either the .pfx or .p12 file extension.
Use the following command to convert your PEM key and certificate into the PKCS#12 format (i.e., a single .pfx file):
openssl pkcs12 -export -name "yourdomain-digicert-(expiration date)" \ -out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt
Note: After you enter the command, you will be asked to provide a password to encrypt the file. Because the PKCS#12 format is often used for system migration, we recommend encrypting the file using a very strong password.
This command combines your private key (-inkey yourdomain.key) and your certificate (-in yourdomain.crt) into a single .pfx file (-out yourdomain.pfx) with a friendly name (-name "yourdomain-digicert-(expiration date)"), where the expiration date is the date that the certificate expires.
PKCS#12 to PEM
Because the PKCS#12 format contains both the certificate and private key, you need to use two separate commands to convert a .pfx file back into the PEM format.
Use the following command to extract the private key from a PKCS#12 (.pfx) file and convert it into a PEM encoded private key:
openssl pkcs12 -in yourdomain.pfx -nocerts -out yourdomain.key -nodes
Use the following command to extract the certificate from a PKCS#12 (.pfx) file and convert it into a PEM encoded certificate:
openssl pkcs12 -in yourdomain.pfx -nokeys -clcerts -out yourdomain.crt
Note: You will need to provide the password used to encrypt the .pfx file in order to convert the key and certificate into the PEM format.
PEM to DER
The DER format uses ASN.1 encoding to store certificate or key information. Similar to the PEM format, DER stores key and certificate information in two separate files and typically uses the same file extensions (i.e., .key, .crt, and .csr). The file extension .der was used in the below examples for clarity.
Use the following command to convert a PEM encoded certificate into a DER encoded certificate:
openssl x509 -inform PEM -in yourdomain.crt -outform DER -out yourdomain.der
Use the following command to convert a PEM encoded private key into a DER encoded private key:
openssl rsa -inform PEM -in yourdomain.key -outform DER -out yourdomain_key.der
DER to PEM
Use the following command to convert a DER encoded certificate into a PEM encoded certificate:
openssl x509 -inform DER -in yourdomain.der -outform PEM -out yourdomain.crt
Use the following command to convert a DER encoded private key into a PEM encoded private key:
openssl rsa -inform DER -in yourdomain_key.der -outform PEM -out yourdomain.key
OpenSSL CSR Creation
OpenSSL CSR Wizard
Our OpenSSL CSR Wizard is the fastest way to create your CSR for Apache (or any platform) using OpenSSL.
Fill in the details, click Generate, then paste your customized OpenSSL CSR command in to your terminal.
Note: After 2015, certificates for internal names will no longer be trusted.
After you've created a Certificate Signing Request (CSR) and ordered your certificate, you still need to install the SSL certificate on your server.
For instructions on how to install SSL certificates, see SSL Certificate Installation Instructions & Tutorials.
Where do I paste this command?
You can run this command wherever you have OpenSSL available—most likely on your server, but you can also run it on your own computer since macOS comes with OpenSSL installed. Just make sure you keep track of your private key file after you create your CSR; you'll need that private key to install your certificate.
What happens when I run this command?
OpenSSL creates both your private key and your certificate signing request, and saves them to two files: your_common_name.key, and your_common_name.csr. You can then copy the contents of the CSR file and paste it into the CSR text box in our order form.
What kind of certificate should I buy?
If you want an SSL certificate for Apache, your best options are Standard certificates and Wildcard certificates.
A DigiCert Wildcard can protect all server names on your domain (e.g., *.example.com,).
Standard certificates are able to protect one server name (e.g., mail.example.com). If you only need SSL for one hostname, a Standard certificate will work perfectly.
What If I Need Subject Alternative Names?
Multi-Domain (SAN) certificates allow you to assign multiple host names—known as Subject Alternative Names or SANs—in one certificate.
Using OpenSSL to Add Subject Alternative Names to a CSR is a complicated task. Our advice is to skip the hassle, use your most important server name as the Common Name in the CSR, and then specify the other names during the order process. Our Multi-Domain (SAN) certificate ordering process allows you to specify all the names you need without making you include them in the CSR.
You can also use OpenSSL to create a certificate request for your code signing certificate.
Si desea información en español a Hacer un CSR Utilizando OpenSSL.
Related:
- Learn more about what our Wildcard certificate can do for you.
- Compare DigiCert Wildcard certificates.
- Learn about our Standard certificates
- We also have a similar CSR Tool for Exchange 2007.
TLS/SSL
What Is SSL and why is it important?
Secure Sockets Layer (SSL) certificates, sometimes called digital certificates, are used to establish an encrypted connection between a browser or user’s computer and a server or website.
SSL: SECURE SOCKETS LAYER
SSL is standard technology for securing an internet connection by encrypting data sent between a website and a browser (or between two servers). It prevents hackers from seeing or stealing any information transferred, including personal or financial data.
HOW DO SSL CERTIFICATES WORK?
SSL certificates establish an encrypted connection between a website/server and a browser with what’s known as an “SSL handshake.” For visitors to your website, the process is invisible — and instantaneous.
Authentication
For every new session a user begins on your website, their browser and your server exchange and validate each other’s SSL certificates.
Encryption
Your server shares its public key with the browser, which the browser then uses to create and encrypt a pre-master key. This is called the key exchange.
Decryption
The server decrypts the pre-master key with its private key, establishing a secure, encrypted connection used for the duration of the session.
DOES SSL WORK ON ALL DEVICES & SYSTEMS?
The short answer is yes. The long answer is that all major operating systems for
newer computers, tablets and mobile phones support SSL/TLS protocols. If you have
questions about the compatibility of older devices, contact our support team.
BROWSERS
Just as websites are designed to be device and browser agnostic, SSL/TLS is supported by all major web browsers.
SERVERS
An SSL certificate can be supported by any server. It’s up to the browser to determine the security of a server during the handshake process.
Most cloud-based email providers use SSL encryption. Organizations can install an SSL certificate to protect private email servers.
RELATED TERMS
TLS: Transport Layer Security
TLS is an updated, more secure version of SSL. We still refer to our security certificates as SSL because it’s a more common term, but when you buy SSL from DigiCert, you get the most trusted, up-to-date TLS certificates.-9
HTTPS: Hyper Text Protocol Secure
HTTPS appears in the URL when a website is secured by an SSL/TLS certificate. Users can view the details of the certificate, including the issuing authority and the corporate name of the website owner, by clicking the lock symbol on the browser bar.
WHY DO YOU NEED SSL?
SSL isn’t just for ecommerce. It secures all types of information
transferred to and from your website.
CHECKOUT PAGES
Customers are more likely to complete a purchase if they know your checkout area (and the credit card info they share) is secure.
LOGIN PANELS & FORMS
SSL encrypts and protects usernames and passwords, as well as forms used to submit personal information, documents or images.
BLOGS & INFORMATIONAL SITES
Even blogs and websites that don’t collect payments or sensitive information need HTTPS to keep user activity private.
SSL IMPROVES SEO
In 2014, Google called for HTTPS everywhere to improve security across the web — and they rewarded SSL-secured sites with higher rankings. In 2018, Google went beyond search rankings and began punishing sites without SSL certificates by flagging them as “not secure” in the Chrome browser.
HOW DOES TLS/SSL INCREASE TRUST?
Not all TLS/SSL certificates are created equal. Beyond encryption, TLS certificates also authenticate the identity of a website owner. This provides an added layer of security which users can see if they look beyond the lock. Certificates are offered with three levels of this identity verification:
-
Extended Validation SSL Certificates
- Provides the highest level of identity assurance so users can feel safe on your website. That's why banks and trusted retailers use EV to let their customers know they're secure. Only EV certificates provide immediate assurances about the company or parent company that owns a website when users click on the lock.
-
Organization Validated SSL Certificates
-
Domain Validated SSL Certificates
LOOK BEYOND THE LOCK
Just seeing a padlock in the address bar is no longer enough
By clicking on the padlock icon in the URL bar you can verify the identity of the website owner. Unfortunately, most phishing sites today have a padlock and a DV certificate. That's why it's important to look beyond the lock in the URL bar. If a website is not willing to put their identity in the certificate, you shouldn't be willing to share any identifying information with them. If you see the organization's name, now you can make a better decision about who you trust.
Compare Basic SSL / Secure Site SSL / Secure Site Pro
https://www.digicert.com/tls-ssl/compare-certificates
ssl types compared