Every so often I have to do something with certificates. It’s infrequently enough that I always have to re-lookup all the commands because I don’t remember the exact syntax. Also, for a long time, I simply used self-signed certificates because they did the job for me. However, now that there are very inexpensive certificates, I sometimes use them. Anyway, here are my notes:

To read a certificate file:

$ openssl x509 -noout -text -in certificate.pem

To read a key file:

$ openssl rsa -noout -text -in certificate.key

To read a certificate request

$ openssl req -noout -text -in certificate.csr

To make a new 2048 bit rsa key

$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out 2048.pem

(genpkey supercedes the old genrsa parameter)

With old keys, you had to put a password on it. This caused problems because some programs would not start without then entering the password. So to take a password off of a private key

$ openssl rsa -in file_with_passphrase.key -out file_without_passphrase.key

To make a certificate request using the previously made key

$ openssl req -new -nodes -key certificate.key -out certificate.csr

To make a certificate request and key in one line

$ openssl req -new -nodes -newkey rsa:2048 -keyout certificate.key -out certificate.csr

If you already have a key

$ openssl req -new -key certificate.key -out certificate.csr

To make a self-signed certificate that's good for 10 years


$ openssl req -new -x509 -nodes -days 3650 -key certificate.key -out certificate.pem

If you want a legit certificate, you need to send your certificate request (.csr) to whoever you're requesting the certificate from. You will then probably get two files back. One will be the certificate file and the other will be the intermediate certificate file. Then in the apache config file, SSLCertificateFile is the certificate and SSLCertificateChainFile is the intermediate certificate. Don't forget SSLCertficiateKeyFile is your key.