How to create a public / private key pair using OpenSSL on Linux

Home > Search > How-to
  by

A trusted certificate is one that is purchased from a trusted certificate authority (CA), such as www.verisign.com. Internet facing production applications should use a certificate from a trusted CA. For non-production applications, a self-signed certificate can be used.  Applications, such as a web browser, will complain when a self-signed certificate is used.

 

The folowing files will be created:

Type of file Location
Root Certificate Authority (CA) Private Key /etc/pki/tls/certs/rootCA.key
Root Certificate Authority (CA) Public Certificate /etc/pki/tls/certs/rootCA.pem
Private Key /etc/pki/tls/private/example.key
Public Certificate /etc/pki/tls/certs/example.crt
Certificate Signing Request (CSR) /etc/pki/tls/example.csr

 


Use  apt-get or yum to install OpenSSL.

~]# yum install openssl

 


Root Certificate Authority - Private Key

A certificate authority is a public certificate that is signed with a private key. 

Ensure that root owns the directory where the private key is stored, and that only root is allowed to read and write to the directory that contains the private key.

~]# chown root:root /etc/pki/tls/private
~]# chmod 600 /etc/pki/tls/private

 

Move to the /etc/pki/tls/private directory and create the private key.

~]# cd /etc/pki/tls/private
~]# openssl genrsa -out rootCA.key 2048

 

Ensure only root can read the private key file.

~]# chmod 400 rootCA.key

 


Root Certificate Authority - Public Certificate

Create the root certificate authority public certificate.

~]# cd /etc/pki/tls/certs
~]# openssl req -x509 -new -nodes -key /etc/pki/tls/private/rootCA.key -sha256 -days 365 -out rootCA.pem

 


Child Private Key

Move to the /etc/pki/tls/private directory and create the child private key. In this example, a private key to secure LDAP is created.

~]# cd /etc/pki/tls/private
~]# openssl genrsa -out ldap.key 2048

 

Ensure only root can read the private key file.

~]# chmod 400 ldap.key

 


Certificate Signing Request (CSR)

The certificate signing request (CSR) file is used to add personal information to the public certificate, such as the company name and location. This is what it means to sign the certificate.

Move the the /etc/pki/tls directory, and then create the CSR file. By default, SHA-1 will be used. You can add -sha2, -sha256, or -sha512 after req.

~]# cd /etc/pki/tls
~]# openssl req -new -key /etc/pki/tls/private/example.key -out example.csr

 

There will be a series of prompts.

Area Example Description
Country Name US United States
State/Province FL Florida
Locality Name Miami City
Organization Name Example, Inc. Company name
Organization Unit Name Example, Inc. Company name
Common Name www.example.com Domain name
Email Address admin@example.com Admin email
Password optional optional
Optional Company Name optional optional

 

  • If your private key is www.example.com.key, you would enter www.example.com as the common name, and not just example.com.
  • It is more secure to enter a passphrase, but adds a layer of complexity when it comes to automation.

 


Public certificate

Change to the certs directory, and create the public certificate. The public certificate is signed using the CSR file and becomes a child of the root certificate authority.

~]# cd /etc/pki/tls/certs
~]# openssl x509 -req -days 365 -in /etc/pki/tls/ldap.csr -CA /etc/pki/tls/certs/rootCA.pem -CAkey /etc/pki/tls/private/rootCA.key -CAcreateserial -out /etc/pki/tls/certs/ldap.crt -sha256
Signature ok
Getting CA Private key

 

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments