Table of content

SSL Certificate Management
- Root CA
  - 1. Create Root Key
  - 2. Create and Self-Sign the Root Certificate
- SSL Certificate Process for a domain
Miscellaneous Items and Glossary

SSL Certificate Management

activityDiagram title: SSL Cert Process start if (Own RootCA?) then :Get Root CA Cert from your provider [DigiCert]; note left: rootCA.crt else (no) partition "Your RootCA" { :Generate Root Key; note left: rootCA.key :Create Self-Sign Root Cert; note left: rootCA.crt } endif partition "For each Domain" { :Generate Private Key for a Domain; note left: domain.com.key :Create Domain CSR file; note left: domain.com.csr :Sign CSR with Root CA [Generate SSL Cert]; note left: domain.com.crt :Configure Server with SSL Cert; } end

Root CA

This process need to be done just once. Organizations keeps roots certs in their trust store or sometimes in 3rd party vendors such as DigiCert. It requires two steps to create Root CA Certificates

1. Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

openssl genrsa -des3 -out rootCA.key 4096

If you want a non password protected key just remove the -des3 option

2. Create and Self-Sign the Root Certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

SSL Certificate Process for a domain

Generating Private Key

You can use the following command to generate your private key using the RSA algorithm.

openssl genrsa -out domain.com.key 2048

Use the following command to decode the private key and view its contents:

openssl rsa -text -in domain.com.key -noout

The -noout switch omits the output of the encoded version of the private key.

Extracting Public Key

The private key file contains both the private key and the public key. You can extract your public key from your private key file if needed.

openssl rsa -in domain.com.key -pubout -out domain.com_public.key

Creating CSR

After generating your private key, you are ready to create your CSR. The CSR is created using the PEM format and contains the public key portion of the private key as well as information about you (or your company).

This command creates a CSR using your newly generated private key

openssl req -new -key domain.com.key -out domain.com.csr

OR without going through question prompts

openssl req -new -key domain.com.key \
            -out domain.com.csr \
            -subj "/C=IE/ST=Dublin/L=Dublin/O=Your Company/OU=IT/CN=domain.com"

Verifying that CSR file is not tampered Use the following command to view the information in your CSR before submitting it to a CA.

openssl req -text -in domain.com.csr -noout -verify

Sending CSR to CA to Sign

Generate the certificate using the domain.com csr and key along with the CA Root key

openssl x509 -req -in domain.com.csr \
                  -CA rootCA.crt \
                  -CAkey rootCA.key \
                  -CAcreateserial \
                  -out domain.com.crt \
                  -days 500 \
                  -sha256

Verify the certificate’s content

openssl x509 -in domain.com.crt -text -noout

Extracting Public Key from Certificate

openssl x509 -pubkey -noout -in domain.com.crt  > pubkey.pem

Using SSL on the backend

You can use domain.com.key (private key generated at 1st step) and domain.com.crt files on the server side. There are multiple ways to use SSL certificates and keys in a server. We will use Node.js for some of the example below

Node.js Server Configuration Directly

The most straightforward method is to directly include the SSL certificate and key in your Node.js server configuration, typically when setting up an HTTPS server. You read the certificate and key files from the filesystem and pass them to the https module’s createServer method:

const https = require("https");
const fs = require("fs");

const options = {
  key: fs.readFileSync("path/to/domain.com.key"),
  cert: fs.readFileSync("path/to/domain.com.crt"),
  ca: [fs.readFileSync("path/to/rootCA.pem")], // Optional: CA's certificate
};

https
  .createServer(options, (req, res) => {
    // ...
  })
  .listen(443);

Using a Load Balancer or reverse Proxy

In many production environments, web applications are run behind a load balancer or reverse proxy. The SSL certificate is installed on the proxy, which handles HTTPS termination. The proxy then forwards traffic to the web application over HTTP:

This method simplifies SSL management, especially in complex deployments, and can also help with scaling and security.

Key Stores and Trust Stores

While less common in simple web applications, SSL certificates might be managed via key stores (e.g., using Java’s keytool).

In Node.js, direct integration with such stores is not typical, but you can export certificates and keys from these stores into formats (such as PEM) that Node.js can use.

Using a Certificate Management Tool or Service

Tools like Let’s Encrypt (with Certbot) or services like AWS Certificate Manager can automate the process of obtaining, renewing, and using SSL certificates. These tools can be used in conjunction with the above methods:

For direct server configuration or environment variables, you can use scripts to automatically update your certificates based on the output from these tools.
When using a reverse proxy, these tools can often integrate directly to manage certificates on the proxy.

Miscellaneous Items and Glossary

Fetch Cert from a website

openssl s_client -showcerts -host somedomain.com -port 443 </dev/null

Different Extension and Formats

PEM

Format: Plain text format used to represent certificates, private keys, and other cryptographic data. Extension: .pem, but can also be .key, .cer, or .crt for certificates. Usage: Widely used because of its compatibility across various platforms and systems. PEM files can contain both certificates and private keys. Characteristics: PEM files are encoded in Base64 and enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- for certificates, or similar headers and footers for other types of data (like private keys). e.g.

-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
...
...
...
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468SQvvG5
-----END CERTIFICATE-----

CSR

CSR file is intermediate file which is signed with Root CA to generate domain.com.crt file

-----BEGIN CERTIFICATE REQUEST-----
MIICzjCCAbYCAQAwZP/wTmsys7p3WE/Zrc99hM9mXNka8YgTBENvcmsxDTALBgNV
BAcTBENvcmsxIDAeBgNVBAoTF0VzZWFyY2ggTHRkIFQuQSBQb3BwdWxvMRgwFgYD
VQQDEw9Qb3BwdWxvIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDKAoO9VDBA0Tfj4KlMogcVBMi/2KV2tp36UG3+JFCJ9t/yCetkxoSLL9Xo
...
...
...
zA9WaRN/EXIlEnyaDCNeIHHLMDn8P1Lvr4xcSQJCQiKcq3WDt7odkMMs4I605s5g
Uv/H/Idp4X38gfKx1yjy/OAV1W+G2ppiy+JKPRXhHn5ftJ4e6Kyz8FHpwelXbmWO
8vgZSJedp3UIaZO3CjagMZOoSMuC61vU5yAj8Nbdf67adS8zM4UGWNVGwGOKcC0t
y4p+3jxzNSU5MvqRH/zIMHN+1/oGVMgbQq6wNwA54Bw3Aje9wi9XCH90R/TRJ+Ll
5Qw=
-----END CERTIFICATE REQUEST-----

KEY (Key File)

Format: Used for private or public keys. Extension: .key. Usage: Specifically used for private or public keys. Not used for certificates. Characteristics: Can be in PEM format (textual, Base64 encoded) or DER format (binary). KEY files are enclosed between -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- for private keys.

Converting Certificate Formats

By default, OpenSSL generates keys and CSRs using the PEM format. However, there might be occasions where you need to convert your key or certificate into a different format in order to export it to another system.

PEM to PKCS#12

The PKCS#12 format is an archival file that stores both the certificate and the private key. This format is useful for migrating certificates and keys from one system to another as it contains all the necessary files. PKCS#12 files use either the .pfx or .p12 file extension.

This command converts PEM key and certificate into the PKCS#12 format (i.e., a single .pfx file):

openssl pkcs12 -export -name "domain.com-(expiration date)" \
-out domain.com.pfx -inkey domain.com.key -in domain.com.crt

Note: After you enter the command, you will be asked to provide a password to encrypt the file. Because the PKCS#12 format is often used for system migration, we recommend encrypting the file using a very strong password.

This command combines your private key (-inkey domain.com.key) and your certificate (-in domain.com.crt) into a single .pfx file (-out domain.com.pfx) with a friendly name (-name “domain.com-(expiration date)”), where the expiration date is the date that the certificate expires.

PKCS#12 to PEM

Because the PKCS#12 format contains both the certificate and private key, you need to use two separate commands to convert a .pfx file back into the PEM format.

Use the following command to extract the private key from a PKCS#12 (.pfx) file and convert it into a PEM encoded private key:

openssl pkcs12 -in domain.com.pfx -nocerts -out domain.com.key -nodes

Use the following command to extract the certificate from a PKCS#12 (.pfx) file and convert it into a PEM encoded certificate:

openssl pkcs12 -in domain.com.pfx -nokeys -clcerts -out domain.com.crt

Note: You will need to provide the password used to encrypt the .pfx file in order to convert the key and certificate into the PEM format.

PEM to DER

The DER format uses ASN.1 encoding to store certificate or key information. Similar to the PEM format, DER stores key and certificate information in two separate files and typically uses the same file extensions (i.e., .key, .crt, and .csr). The file extension .der was used in the below examples for clarity.

Use the following command to convert a PEM encoded certificate into a DER encoded certificate:

openssl x509 -inform PEM -in domain.com.crt -outform DER -out domain.com.der

Use the following command to convert a PEM encoded private key into a DER encoded private key:

openssl rsa -inform PEM -in domain.com.key -outform DER -out domain.com_key.der

DER to PEM

Use the following command to convert a DER encoded certificate into a PEM encoded certificate:

openssl x509 -inform DER -in domain.com.der -outform PEM -out domain.com.crt

Use the following command to convert a DER encoded private key into a PEM encoded private key:

openssl rsa -inform DER -in domain.com_key.der -outform PEM -out domain.com.key

Terms

CRL

Certificate Revocation List (CRL) is a document that CAs use to list the certs that have been revoked before their expiry. The primary purpose of a CRL is to ensure that entities in a secure communication environment can verify the validity of the digital certificates being used.

When a certificate is issued, it’s intended to be valid for a certain period. However, certain circumstances may necessitate its early revocation

Parse a list of revoked serial numbers

openssl crl -inform DER -text -noout -in list.crl

OpenSSL Command Reference Guide