OpenSSL for Web Servers
OpenSSL is an open source implementation of the SSL / TLS. It is used to create SSL, TLS and HTTPS connections with.
When you want to run a web application with SSL / HTTPS then your web server needs a private key, public key and a certificate from you. The private key enables your server to identify itself, and the certificate proves that the public key actually belongs to the the server (e.g. that the public key actually belongs to www.jenkov.com).
The private key and public key is created by you. The certificate is created by a certificate authority (CA). Here is the process you go through to obtain a private key, public key and certificate from a CA:
- Generate a private key.
- Generate a public key matching the private key (if that was not already done in step 1).
- Generate a certificate signing request.
- Send the certificate signing request to a certificate authority (CA).
- Receive certificate from certificate authority.
- Install private key and certificate in your web server software.
In this text I will explain how to do all this with OpenSSL (on Ubuntu, but it most likely works the same way on other Linux distributions).
Generating a Private Key
The first step is to generate a private key used for public key / private key (asymmetric) encryption.
This OpenSSL command creates a private key which is 2048 bits long, and protected with a triple DES encryption. When executed OpenSSL will prompt you to enter a password to use for the triple DES encryption.
openssl genrsa -des3 -out privatekey.pem 2048
The private key will be written to a file. The private key file will be named
and will located in the same directed from which you exected the
If you do not want the private key protected with encryption, leave out the
This command creates a private key which is 2048 bits long without password encryption of the key file:
openssl genrsa -out privatekey.pem 2048
More info on generating keys: http://www.openssl.org/docs/HOWTO/keys.txt.
Generating a Certificate Signing Request
The second step is to generate a certificate signing request from the private key. Here is the OpenSSL command that creates a certificate signing request:
openssl req -new -key privatekey.pem -out certificate-signing-request.csr
The private key is the file named
privatekey.pem. That is the output of the private key generation
command earlier. The certificate signing request file is the
This is the file you will eventually send to a CA.
More information about generating certificate signing requests: http://www.openssl.org/docs/HOWTO/certificates.txt
Sending the Certificate Signing Request to a CA
Once you have a certificate signing request (file) you can send it to a certificate authority (CA). The CA will send you a certificate file back.
Some intermediate CAs may send you several certificates back. One is your certificate, and the rest is the certificate chain needed to trust your certificate. The certificate chain is a chain of certificates from a root CA own to the CA you have used. Web servers typically need all of the certificates in the certificate chain. See your specific web server for more information on how to provide it with the full certificate chain.
I have used https://www.namecheap.com and purchased an SSL certificate via them, from Comodo (NameCheap is an SSL certificate reseller). The cheapest one is around $10, and I got it to work just fine with Nginx. I created the private key and certificate signing request with OpenSSL on Ubuntu.
Generating a Self-signed Test Certificate
In case you just want to test your web application with HTTPS, you can also generate a self signed certificate with OpenSSL. Here is how that is done:
openssl req -new -x509 -key privkey.pem -out self-signed-certificate.pem -days 1095
Notice though, that the browsers will show security warnings when you visit a website with a self signed certificate. The browser will allow you to choose to trust the certificate so you can test that everything works with HTTPS.
Installing Private Key and Certificate in Web Server
Once you have obtained the certificate (+ optionally a certificate chain) you need to install the private key and certificate (+optionally the certificate chain) in your web server. How that is done depends on your web server, and is thus outside the scope of this text.
If you are using Nginx, I have a tutorial about Nginx here, including how to configure SSL.