Author: Daniel Waters
Working with TLS certificates starts with a strong private key. The commands below use OpenSSL because it is ubiquitous, well-documented, and available on most platforms. They also mirror what certificate authorities expect when you request a signing certificate.
Pick a key size that balances security and performance. 2048 bits remains the
common baseline, while 3072 or 4096 bits offer extra security at the cost of
slower handshakes. Replace the filename if you want something other than
test_key.pem.
openssl genrsa -out test_key.pem 2048
The output is an unencrypted PEM file. Lock it down immediately:
chmod 600 test_key.pem
The public key is safe to share and gets embedded in certificates or distributed for client-side verification.
openssl rsa -in test_key.pem -outform PEM -pubout -out test_key.pem.pub
OpenSSL will print the key to stdout if you omit -out, which is useful when
scripting.
Most certificate authorities require a CSR that includes subject information and your freshly minted public key. This command prompts for the subject fields.
openssl req -new -key test_key.pem -out test_key.csr
Use -subj "/C=US/ST=Oregon/L=Portland/O=Example Corp/CN=example.com" to avoid
the interactive prompt. Once generated, you can inspect the CSR to verify the
contents:
openssl req -in test_key.csr -noout -text
openssl rsa -in test_key.pem -check
openssl rsa -pubin -in test_key.pem.pub -text -noout
If you need a quick local certificate for testing, self-sign it:
openssl req -x509 -key test_key.pem -in test_key.csr -days 365 -out test_cert.pem
Documenting these steps once means you can copy them the next time you are setting up mutual TLS, rotating service credentials, or debugging a certificate chain.