Shortcuts
Install OpenSSL
$ sudo apt install openssl
Get a certificate expiry date
$ echo "CERTIFICATE_CONTENT" | openssl x509 -noout -enddate
Get a certificate expiry date encoded
$ echo "CERTIFICATE_CONTENT" | base64 -d | openssl x509 -noout -enddate
Retrieve complete certificate information
$ echo "CERTIFICATE_CONTENT" | openssl x509 -noout -text
Retrieve information of Certificate Signing Request (CSR)
$ openssl req -in csr_req.csr -text -noout
Generate a TLS certificate
In order to generate the certificate, first need to have the TLS key or generate one:
$ openssl genpkey -algorithm RSA -out tls.key
Or
$ openssl genrsa -out tls.key 2048
It’s also possible to extract private and public keys:
$ openssl rsa -pubout -in tls.key -out tls.pub
The tls.key is the private key and should not be shared with anyone. It can be used when generating a CSR. While the tls.pub can be shared, for example in cases when setting up mutual TLS (mTLS).
Then create a CSR as follows:
$ openssl req -new -key tls.key -out csr_req.csr
Lastly, the CSR should be signed by Certificate Authority (CA):
$ openssl ca -cert ca.crt -keyfile ca.key -in csr_req.csr -out tls.crt
If the CA is not available, can generate one (to create a self-signed cert which is not trusted by browsers).
Generating a self-signed CA
Creating the CA private key:
$ openssl genpkey -algorithm RSA -out ca.key
Then generating the CA certificate:
$ openssl req -new -x509 -key ca.key -out ca.crt
To sign a CSR with the self-signed CA:
$ openssl x509 -req -in csr_req.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
To check the details of the produced TLS cert (tls.crt):
$ openssl x509 -in tls.crt -text -noout
The tls.crt file can be used to install on a server. However, it will not be recognized by any browsers since it’s a self-signed certificate.