Understanding Encryption and Building SSL Certificates with OpenSSL



This content originally appeared on DEV Community and was authored by Farzan Afringan

What Is Encryption?

Encryption is the process of converting plain information (plaintext) into unreadable data (ciphertext) using a cryptographic algorithm. It ensures confidentiality, integrity, and authenticity of data during communication.
For example, when you visit a website that uses HTTPS, your browser and the server exchange encrypted data to prevent eavesdropping

+———–+
| Plaintext |
+———–+
|
| Encrypt 🔒
v
+————+
| Ciphertext |
+————+
|
| Decrypt 🔑
v
+———–+
| Plaintext |
+———–+

What Is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols designed to secure data over the internet.
They rely on digital certificates and asymmetric encryption to create a secure channel between client and server

Introduction to OpenSSL

OpenSSL is an open-source toolkit for implementing SSL/TLS.
It includes:

A command-line tool for certificate generation, signing, and verification.

A C library that provides cryptographic functions
(hashing, RSA, AES, etc.)

You can check if OpenSSL is installed by running:

openssl version

If it’s missing, install it (on Ubuntu/Debian):

sudo apt update
sudo apt install openssl

Creating Your Own SSL Certificate

Let’s walk through the steps to create a self-signed SSL certificate using OpenSSL

Step 1⃣ : Generate a Private Key

🟣 you are generating your private key, one of the most important parts of SSL/TLS encryption.
Let’s break it down

Part Meaning
openssl Calls the OpenSSL command-line tool.
genrsa Tells OpenSSL to generate an RSA key pair (based on the RSA algorithm).
-out server.key Saves the generated private key to a file named server.key.
2048 The key length in bits — a longer key means stronger encryption (2048 is standard).

🔑 What Is a Private Key?

A private key is a secret cryptographic key used to:

Decrypt data encrypted with its public key

Prove your server’s identity during SSL/TLS handshakes

Sign digital certificates or messages

It must never be shared or exposed publicly.
If your private key is leaked, attackers can impersonate your website or decrypt sensitive data

This command generates a 2048-bit RSA private key and saves it as server.key

openssl genrsa -out server.key 2048

Step 2⃣ : Create a Certificate Signing Request (CSR)

🟣 After generating your private key, the next step is to create a Certificate Signing Request (CSR).
This request is like your website’s digital ID card — it contains your domain name and organization details, which will be verified before a certificate is issued

Run the command below:

openssl req -new -key server.key -out server.csr

Part Meaning
openssl Calls the OpenSSL toolkit.
req Tells OpenSSL to manage certificate requests.
-new Creates a new CSR file.
-key server.key Uses your previously generated private key (server.key) to sign the request.
-out server.csr Saves the certificate request as server.csr.

📝 What’s Inside a CSR?

⚙ Example Interactive Prompts

You’ll be asked a few questions like:

Country Name (e.g., US)

State or Province Name (full name)

Locality Name (eg, city)

Organization Name (e.g., example)

Organizational Unit Name (eg, section)

Common Name (domain name, e.g., example.com)

Email Address

Step 3⃣ : Create a Self-Signed Certificate

🟣 Now that you have a CSR and a private key, it’s time to generate an SSL certificate.
Normally, a Certificate Authority (CA) signs this request, but for testing or internal projects, you can self-sign it using your own private key

Run the command:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This command signs your CSR with your private key and produces a certificate valid for one year

🧠 What This Command Does:

Part Meaning
openssl Calls the OpenSSL toolkit.
x509 Specifies that we’re working with X.509 certificates (the standard format for SSL/TLS).
-req Reads the CSR file you generated earlier.
-days 365 Sets the certificate’s validity to 365 days (1 year).
-in server.csr The CSR file to be signed.
-signkey server.key Uses your private key to sign the certificate.
-out server.crt Saves the resulting certificate as server.crt.

🔐 What Is a Self-Signed Certificate?

A self-signed certificate means you act as your own Certificate Authority — you’re both the signer and the owner.
It’s useful for:

Local development and testing (HTTPS on localhost)

Internal servers or private networks

Educational or demo purposes

⚠ Browsers will show a warning for self-signed certificates because they’re not trusted by public authorities — but they still encrypt your traffic

🧩 Result

After running the command, you’ll have three important files

File Purpose
server.key Your private key (keep it secret).
server.csr The certificate request you created earlier.
server.crt The final SSL certificate signed with your private key.

Step 4⃣ : Verify the Certificate

🟣 Once your certificate is generated, it’s a good idea to inspect it and confirm that everything looks correct.
OpenSSL lets you view detailed information about your certificate, including its validity, issuer, and public key

Run the command:

openssl x509 -in server.crt -text -noout

🧠 What This Command Does

Part Meaning
openssl Calls the OpenSSL tool.
x509 Indicates that we’re working with an X.509 certificate.
-in server.crt Specifies the certificate file you want to inspect.
-text Displays the certificate details in readable text format.
-noout Hides the encoded (base64) version to keep output clean.

This confirms your certificate’s validity period, subject, and encryption details

✅ Tip
If you want to check expiration date only:

openssl x509 -enddate -noout -in server.crt

Bonus: Combining Key and Certificate for Nginx/Apache

For easier deployment:

cat server.crt server.key > fullchain.pem

. Conclusion

In this article, we explored how encryption secures communication, what SSL/TLS does, and how to generate your own certificates using OpenSSL — a must-have skill for every security-focused developer

Article by Farzan Afringan 🎖 — IT Engineer & Programmer passionate about web security, encryption, and open-source tools.


This content originally appeared on DEV Community and was authored by Farzan Afringan