How to Use OpenSSL to Generate and Manage SSL Certificates on RHEL 9

November 23, 2025
Linux
Comment off

OpenSSL is the most widely used toolkit for working with SSL/TLS certificates on Linux systems. On RHEL 9, it provides everything you need to generate private keys, create certificate signing requests (CSRs), sign certificates using your own certificate authority, and convert between certificate formats. Understanding OpenSSL is essential for any sysadmin managing secure services. This tutorial walks through the most important OpenSSL operations you will use in production.

Prerequisites

RHEL 9 system with sudo or root access
OpenSSL installed (available by default on RHEL 9)
Basic familiarity with PKI concepts (certificates, keys, CAs)

Step 1 — Generate a Private Key and Certificate Signing Request

The first step in obtaining any certificate is generating a private key and a CSR. The private key must be kept secret; the CSR is what you submit to a certificate authority.

# Generate a 4096-bit RSA private key
openssl genrsa -out server.key 4096

# Create a CSR using the private key
openssl req -new -key server.key -out server.csr 
  -subj "/C=US/ST=California/L=San Francisco/O=MyCompany/CN=example.com"

# Verify the CSR contents
openssl req -text -noout -verify -in server.csr

Step 2 — Create a Self-Signed Certificate and a Local CA

For internal testing or development environments, a self-signed certificate or a locally operated CA is often sufficient. A self-signed certificate is signed by its own private key, while a CA-signed certificate enables you to trust multiple certificates under one root.

# Generate a self-signed certificate valid for 365 days
openssl req -x509 -newkey rsa:4096 -keyout self.key -out self.crt 
  -days 365 -nodes 
  -subj "/C=US/ST=California/L=San Francisco/O=MyCompany/CN=example.com"

# Create your own CA private key and certificate
openssl genrsa -aes256 -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1825 
  -out ca.crt 
  -subj "/C=US/ST=California/O=MyCA/CN=MyRootCA"

# Sign a CSR with your CA
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key 
  -CAcreateserial -out server.crt -days 365 -sha256

Step 3 — Create a Wildcard Certificate

Wildcard certificates cover a domain and all of its immediate subdomains. To create one, include a Subject Alternative Name (SAN) extension in a config file.

# Create a SAN config file for a wildcard certificate
cat > wildcard.cnf << 'EOF'
[req]
default_bits       = 4096
prompt             = no
default_md         = sha256
req_extensions     = req_ext
distinguished_name = dn

[dn]
C=US
ST=California
O=MyCompany
CN=*.example.com

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.example.com
DNS.2 = example.com
EOF

# Generate key and CSR using the config
openssl req -newkey rsa:4096 -nodes -keyout wildcard.key 
  -out wildcard.csr -config wildcard.cnf

# Self-sign the wildcard certificate
openssl x509 -req -in wildcard.csr -CA ca.crt -CAkey ca.key 
  -CAcreateserial -out wildcard.crt -days 365 -sha256 
  -extfile wildcard.cnf -extensions req_ext

Step 4 — Inspect and Verify Certificates

You should always verify certificate details before deploying them to ensure the correct CN, SANs, validity period, and issuer are present.

# Display full certificate text
openssl x509 -in server.crt -text -noout

# Check only the expiry date
openssl x509 -in server.crt -enddate -noout

# Verify a certificate was signed by a specific CA
openssl verify -CAfile ca.crt server.crt

# Check that a private key matches a certificate
openssl rsa  -noout -modulus -in server.key | openssl md5
openssl x509 -noout -modulus -in server.crt | openssl md5
# Both md5 values must match

Step 5 — Test a Live TLS Connection

The openssl s_client command lets you connect to any TLS endpoint and inspect the certificate chain returned by the server. This is invaluable for debugging certificate issues in production.

# Connect to a remote TLS server and display its certificate
openssl s_client -connect example.com:443 -showcerts

# Verify the server certificate against a specific CA bundle
openssl s_client -connect example.com:443 -CAfile /etc/pki/tls/certs/ca-bundle.crt

# Check an SMTP server using STARTTLS
openssl s_client -starttls smtp -connect mail.example.com:587

# Display only the certificate details
echo | openssl s_client -connect example.com:443 2>/dev/null 
  | openssl x509 -text -noout

Step 6 — Convert Certificate Formats

Different applications require certificates in different formats. PEM (base64 text) is the default on Linux; DER (binary) is common on Windows; PKCS12 bundles the certificate and key in a single encrypted file used by Java and many enterprise applications.

# Convert PEM certificate to DER (binary) format
openssl x509 -in server.crt -outform DER -out server.der

# Convert DER back to PEM
openssl x509 -in server.der -inform DER -outform PEM -out server_from_der.crt

# Bundle certificate and private key into a PKCS12 file
openssl pkcs12 -export 
  -in server.crt 
  -inkey server.key 
  -certfile ca.crt 
  -out server.p12 
  -name "myserver"

# Extract certificate and key from a PKCS12 file
openssl pkcs12 -in server.p12 -nokeys -out extracted.crt
openssl pkcs12 -in server.p12 -nocerts -nodes -out extracted.key

Conclusion

You now know how to use OpenSSL on RHEL 9 to generate keys and CSRs, operate a local certificate authority, create wildcard certificates with SANs, inspect and verify certificate details, test live TLS connections, and convert between PEM, DER, and PKCS12 formats. These skills cover the certificate lifecycle from creation to deployment and troubleshooting.

Next steps: How to Configure TLS for Apache on RHEL 9, How to Set Up a Private PKI with Step CA on RHEL 9, and How to Automate Certificate Renewal with Certbot on RHEL 9.