• The simplest solution is to use openssl dgst for both the creation and verification of the signature. Replace your steps 3 and 4 (except for creating the example.txt file) with the single command: $ openssl dgst -sha256 -sign private.pem -out example.sha256 example.txt This hashes the data, correctly formats the hash and performs the RSA.
  • Apr 11, 2019  How to generate a RSA or ECDSA Private Key and a X509 Server Certificate for your application in C. Tagged with openssl, c, cryptography, tls. Pragmatically Generating a Self-Signed Certificate and Private Key using OpenSSL Ian Spence. For example: a 256-bit ECDSA key is equivalent to a 3,248-bit RSA key. Not only are ECDSA keys more.
  • How to generate RSA and EC keys with OpenSSL. How to generate keys in PEM format using the OpenSSL command line tools? The JOSE standard recommends a minimum RSA key size of 2048 bits. To generate a 2048-bit RSA private + public key pair for use in RSxxx and PSxxx signatures.
  1. Openssl Genrsa

Common OpenSSL Commands with Keys and Certificates. Generate RSA private key with certificate in a single command openssl req -x509 -newkey rsa:4096 -sha256 -keyout example.key -out example.crt -subj '/CN=example.com' -days 3650 -passout pass:foobar.

What is a SAN

A SAN is a Subject Alternative Name, and as the name implies it serves as a secondary (or tertiary, etc.) DNS name that your web application could be identified as. This is useful in the context of web farms behind a reverse proxy, load-balancing solutions, etc.

For example:

Modern Browsers will show an SSL certificate as invalid if a proper SAN is not included, so it’s best practice for us to be in the habit of including SANs in our CSRs.

How to include a SAN

Because we want to include a SAN (Subject Alternative Name) in our CSR (and certificate), we need to use a customized openssl.cnf file.


While you could edit the ‘openssl req’ command on-the-fly with a tool like ‘sed’ to make the necessary changes to the openssl.cnf file, I will walk through the step of manually updating the file for clarity.

Example openssl.cnf file

Note that the subjectAltName declaration calls an array called @alt_names, which is defined at the bottom of the file.

To include a single SAN in your CSR, update the ‘DNS’ declaration to the appropriate value (in this example, ‘webserver1.scriptech.io’), and leave the DNS.x declarations commented out (#). The result is an @alt_names array with a single entry.

To include multiple SANS in your CSR, comment out (#) the ‘DNS’ declaration, and uncomment the DNS.x declarations that you need. For example, your [alt_names] section would look like:

The result is an @alt_names array with multiple entries.

Generate the new key and CSR

If you have not already, copy the contents of the example openssl.cnf file above into a file called ‘openssl.cnf’ somewhere. Make note of the location.

Also make sure you update the DN information (Country, State, etc.)

Openssl Genrsa

Create a new key

Create a new CSR

Verify the CSR


To view the contents of your new CSR, use the following command:

This example shows a single SAN which I included in my openssl.cnf file.

Sign the CSR

Now that you have your properly-formatted CSR, you need to sign it using a Trusted Root Certificate Authority. Depending on your context, this could be a third-party CA like DigiCert or GoDaddy, or it could be an internal Certificate Authority (OpenSSL CA, Active Directory Certificate Services)

The contents of a certificate in the openssl format can be viewed with the following command:

Coments are closed
Scroll to top