This content originally appeared on DEV Community and was authored by Farzan Afringan
What Is Encryption?
Encryption is the process of converting plain information (plaintext) into unreadable data (ciphertext) using a cryptographic algorithm. It ensures confidentiality, integrity, and authenticity of data during communication.
For example, when you visit a website that uses HTTPS, your browser and the server exchange encrypted data to prevent eavesdropping
+———–+
| Plaintext |
+———–+
|
| Encrypt 
v
+————+
| Ciphertext |
+————+
|
| Decrypt 
v
+———–+
| Plaintext |
+———–+
What Is SSL/TLS?
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols designed to secure data over the internet.
They rely on digital certificates and asymmetric encryption to create a secure channel between client and server
Introduction to OpenSSL
OpenSSL is an open-source toolkit for implementing SSL/TLS.
It includes:
A command-line tool for certificate generation, signing, and verification.
A C library that provides cryptographic functions
(hashing, RSA, AES, etc.)
You can check if OpenSSL is installed by running:
openssl version
If it’s missing, install it (on Ubuntu/Debian):
sudo apt update
sudo apt install openssl
Creating Your Own SSL Certificate
Let’s walk through the steps to create a self-signed SSL certificate using OpenSSL
Step 1⃣ : Generate a Private Key
you are generating your private key, one of the most important parts of SSL/TLS encryption.
Let’s break it down
| Part | Meaning |
|---|---|
openssl |
Calls the OpenSSL command-line tool. |
genrsa |
Tells OpenSSL to generate an RSA key pair (based on the RSA algorithm). |
-out server.key |
Saves the generated private key to a file named server.key. |
2048 |
The key length in bits — a longer key means stronger encryption (2048 is standard). |
What Is a Private Key?
A private key is a secret cryptographic key used to:
Decrypt data encrypted with its public key
Prove your server’s identity during SSL/TLS handshakes
Sign digital certificates or messages
It must never be shared or exposed publicly.
If your private key is leaked, attackers can impersonate your website or decrypt sensitive data
This command generates a 2048-bit RSA private key and saves it as server.key
openssl genrsa -out server.key 2048
Step 2⃣ : Create a Certificate Signing Request (CSR)
After generating your private key, the next step is to create a Certificate Signing Request (CSR).
This request is like your website’s digital ID card — it contains your domain name and organization details, which will be verified before a certificate is issued
Run the command below:
openssl req -new -key server.key -out server.csr
| Part | Meaning |
|---|---|
openssl |
Calls the OpenSSL toolkit. |
req |
Tells OpenSSL to manage certificate requests. |
-new |
Creates a new CSR file. |
-key server.key |
Uses your previously generated private key (server.key) to sign the request. |
-out server.csr |
Saves the certificate request as server.csr. |
What’s Inside a CSR?
Example Interactive Prompts
You’ll be asked a few questions like:
Country Name (e.g., US)
State or Province Name (full name)
Locality Name (eg, city)
Organization Name (e.g., example)
Organizational Unit Name (eg, section)
Common Name (domain name, e.g., example.com)
Email Address
Step 3⃣ : Create a Self-Signed Certificate
Now that you have a CSR and a private key, it’s time to generate an SSL certificate.
Normally, a Certificate Authority (CA) signs this request, but for testing or internal projects, you can self-sign it using your own private key
Run the command:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
This command signs your CSR with your private key and produces a certificate valid for one year
What This Command Does:
| Part | Meaning |
|---|---|
openssl |
Calls the OpenSSL toolkit. |
x509 |
Specifies that we’re working with X.509 certificates (the standard format for SSL/TLS). |
-req |
Reads the CSR file you generated earlier. |
-days 365 |
Sets the certificate’s validity to 365 days (1 year). |
-in server.csr |
The CSR file to be signed. |
-signkey server.key |
Uses your private key to sign the certificate. |
-out server.crt |
Saves the resulting certificate as server.crt. |
What Is a Self-Signed Certificate?
A self-signed certificate means you act as your own Certificate Authority — you’re both the signer and the owner.
It’s useful for:
Local development and testing (HTTPS on localhost)
Internal servers or private networks
Educational or demo purposes
Browsers will show a warning for self-signed certificates because they’re not trusted by public authorities — but they still encrypt your traffic
Result
After running the command, you’ll have three important files
| File | Purpose |
|---|---|
server.key |
Your private key (keep it secret). |
server.csr |
The certificate request you created earlier. |
server.crt |
The final SSL certificate signed with your private key. |
Step 4⃣ : Verify the Certificate
Once your certificate is generated, it’s a good idea to inspect it and confirm that everything looks correct.
OpenSSL lets you view detailed information about your certificate, including its validity, issuer, and public key
Run the command:
openssl x509 -in server.crt -text -noout
What This Command Does
| Part | Meaning |
|---|---|
openssl |
Calls the OpenSSL tool. |
x509 |
Indicates that we’re working with an X.509 certificate. |
-in server.crt |
Specifies the certificate file you want to inspect. |
-text |
Displays the certificate details in readable text format. |
-noout |
Hides the encoded (base64) version to keep output clean. |
This confirms your certificate’s validity period, subject, and encryption details
Tip
If you want to check expiration date only:
openssl x509 -enddate -noout -in server.crt
Bonus: Combining Key and Certificate for Nginx/Apache
For easier deployment:
cat server.crt server.key > fullchain.pem
. Conclusion
In this article, we explored how encryption secures communication, what SSL/TLS does, and how to generate your own certificates using OpenSSL — a must-have skill for every security-focused developer
Article by Farzan Afringan 
— IT Engineer & Programmer passionate about web security, encryption, and open-source tools.
This content originally appeared on DEV Community and was authored by Farzan Afringan