Chapter 3. Creating keys and certificates

Table of Contents
3.1. Creating a RSA public key pair
3.2. Viewing the key pair
3.3. Creating a CSR
3.4. Creating a key and a CSR at the same time
3.5. Viewing the CSR
3.6. Getting a real certificate
3.7. Viewing the certificate
3.8. Self-signed certificates

Most Unix-based programs that use TLS, and some Windows ones, use the OpenSSL package for cryptographic support ( OpenSSL provides command line programs that manipulate keys and certificates, and a cryptographic library used by these utilities and by programs such as Apache. OpenSSL is a development of an earlier package called SSLeay and this older name still appears occasionally.

Red Hat Linux, Fedora and SuSE Linux include OpenSSL as a package (normally in the openssl RPM). Debian provides pre-built packages that you can install for this functionality. Other Linux and Unix installations may be similar. OpenSSL can be built from source, which is available from

OpenSSL can be built for Windows, but requires development tools that are not normally available by default. Binary copies of OpenSSL for Windows can sometimes be found with a web search - at present copies appear to be available from Beware that having multiple copies of the OpenSSL .dll files on the same Windows server can lead to problems that are difficult to isolate.

Most command-line interactions with OpenSSL use the openssl command, which itself accepts a sub-command and a range of command-line arguments. These sub-commands and arguments can be confusing and there are often many different ways to achieve the same thing. On Unix systems the manual entry for openssl (man openssl) and for the individual sub-commands can be helpful. The examples below are taken from a Unix system - appropriate changes will be needed under Windows.

3.1. Creating a RSA public key pair

To generate an RSA key pair we use the genrsa sub-command.

$ openssl genrsa -des3 -out WWW.key 2048 
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for WWW.key: password
Verifying - Enter pass phrase for WWW.key: password

Arguments used


encrypt the result using DES3


store the result in this file


requested key length

openssl requires a source of randomness in order to generate these keys. On modern Unix systems this is normally derived automatically from a random number source in the kernel. On other systems, and under Windows, it may be necessary to use the -rand argument to supply openssl with one or more files containing rapidly changing data.

The generated RSA key pair is encrypted using the supplied pass phrase, since the private component of the pair must remain private. The pass phrase itself must therefore be kept secret but must also not be forgotten, or lost when the only person who knows it leaves, etc. Without it the keys (and any certificates based on these keys) become useless.