How to use OpenSSL to create self signed certificate

Method 1

Procedure:

1. Create a no-password private key,
2. Create the certificate.

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out unencrypted-private.key

• genpkey
  generate a private key.
• -algorithm rsa
  use RSA algorithm.
• -pkeyopt rsa_keygen_bits:2048
  the key’s length is 2048.
• -out
  output filename.

openssl req -x509 -key unencrypted-private.key -out new.crt

• req
  openssl’s subcommand, used to create and process CSR(certificate signing request).
• -509
  do not create a CSR, but create a certificate.
• -key
  the private key used to sign the certificate
• -out
  the output certificate.

Method 2

Procedure:

1. Create a certificate and a password-protected rivate key in a single step,
2. Extract the no-password private key.

openssl req -x509 -newkey rsa:2048 -keyout encrypted-private.key -out new.crt

• req
  openssl’s subcommand, used to create and process CSR.
• -x509
  do not create a CSR, but create a certificate.
• -newkey
  create a new private key, use RSA algorithm, 2048 bits.
• -keyout
  the output private key.
• -out
  the output certificate.

openssl rsa -in encrypted-private.key -out unencrypted-private.key

• rsa
  openssl’s subcommand, used to process RSA private key.
• -in
  the input password protected private key.
• -out
  the output no-password private key.

Method 3

Procedure:

1. Create a no-password private key.
2. Create a CSR(certificate signing request).
3. Convert the CSR to a certificate.

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out unencrypted-private.key

• genpkey
  generate a private key.
• -algorithm rsa
  use RSA algorithm.
• -pkeyopt rsa_keygen_bits:2048
  the private key’s length is 2048.
• -out
  output private key filename.

openssl req -new -key unencrypted-private.key -out new.csr

• req
  openssl’s subcommand, used to create and process CSR.
• -new
  create a new CSR.
• -key
  the private key used to sign the CSR.
• -out
  the output CSR filename.

openssl x509 -req -in new.csr -out new.crt -signkey unencrypted-private.key

• x509
  openssl’s subcommand, used to process certificate.
• -req
  By default, the file specified by ‘-in’ is expected to be a certificate, with this option a certificate request is expected instead.
  咱们默认 -in 前面批示的文件是一个证书，有了 -req 后，咱们认为 -in 前面批示的文件是一个证书申请。
• -in
  the input CSR filename.
• -out
  the output certificate filename.
• -signkey
  the private key used to sign the certificate
  用于为证书签名的私钥。