This assumes that you have already installed OpenSSL on your system.
This assumes you've already created a private key, such as example.com.key. If not, refer to our article on creating a private key.
Certificate Signing Request (CSR)
A CSR file is not required to be able to create a new certificate. However, if you have not created a CSR file, you will be prompted for input when creating the public certificate. If you want to avoid being prompted for values, refer to our article on creating a CSR.
Public certificate (aka X.509)
The public certificate is what is provided to the clients. There is a mathmatical relationship between the public certificate and private key. Both are needed in order for encryption to work.
Interactive Prompt Method
If you have not created a CSR file, then you will prompted for values during the creation of the public certificate. In this example, a public certificate named example.com.crt will be created. Both .crt and .pem are valid file extensions for the certfificate.
openssl x509 -req -days 365 -sha512 -signkey example.com.key -out example.com.crt
If you have created a CSR file, then you will not be prompted for values during the creation of the public certificate. In this scenario, you would use the -in option followed by the csr file. The public certificate will contain the values specified in the CSR file. This is what it means to sign the certificate. Both .crt and .pem are valid file extensions for the certfificate.
openssl x509 -req -days 365 -sha512 -signkey example.com.key -in example.com.csr -out example.com.crt
Let's say your CSR file contains extensions, like this.
x509v3 extensions: x509v3 Subject Alternative Name: DNS:example.com
The -extensions option will need to be included to pass the extensions from the CSR file to the public certificate file. In this example, the extensions in the CSR file are passed into the certificate.
openssl x509 -req -days 365 -sha512 -signkey example.com.key -in example.com.csr -out example.com.crt -extensions v3_ext -extfile example.com.config
The x509 option with the -in -text and -noout flags can be used to view the contents of the public certificate file.
openssl x509 -in example.com.crt -text -noout ... Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=WI, L=Appleton, O=Example, OU=Example, CN=www.example.com/emailAddressfirstname.lastname@example.org Not Before: Jul 15 03:06:31 2017 GMT Not After: July 15 03:06:31 2018 GMT Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)
Using the public / private key pair
You can now use the public certificate and it's corresponding private key. In this example, the private key and public certificate are placed on the web server. The CSR file is not used by the web server.
Internet facing production applications should use a certificate from a trusted CA, such as verisign.com. For non-production applications, a self-signed certificate can be used. Applications, such as a web browser, will complain when a self-signed certificate is used.
When the client navigates to an HTTPS page, the client will request the public certificate from the web server, and then the public certificate will reside on the clients browser for a period of time. The public certificate on the client and the private key on the server are what is used to encrypt the packets that are exchanged between the client and server over the internet.
The certificate can be viewed by the client.