OpenSSL

One of such specialized tools that can generate a TLS digital certificate and is very popular is called OpenSSL. OpenSSL can be found at: https://www.openssl.org/. OpenSSL is an open source commercial grade TLS toolkit that can be used to perform a variety of tasks; among them is to generate self-signed digital certificates. The OpenSSL organization by itself does not provide prebuilt binaries for the tool. However, there is a wiki page that lists third-party places where a binary can be downloaded for the tool. The wiki page can be found at: https://wiki.openssl.org/index.php/Binaries. Once you have the tool downloaded, here is an example of how to make use of it to generate a digital certificate in addition to its private key:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

The first word in the preceding code is obviously the name of the binary. Let's cover the arguments one by one:

• req: Stands for the request; it indicates that we request a certificate.
• -x509: This will indicate that we want to output a self-signed certificate. In the world of cryptography, the notion X.509 is a standard that defines the format of public key certificates. Digital certificates used in many internet protocols utilize this standard.
• -newkey: This option indicates that we would like a new certificate with a paired private key. As mentioned before, a certificate is nothing but a public key combined with a bunch of identifiers. So, to perform asymmetric cryptography, we will need a private key paired with this public key.
• rsa:2048: This is an argument to the -newkey option, indicating the type of encryption algorithm that we would like to use for generating the key.
• -keyout: This option provides the filename to write the newly created private key to.
• key.pem: This is the argument to the -keyout option. It indicates that we would like the private key to be stored in a file called key.pem. This key needs to be kept private and not shared with anyone, as mentioned earlier.
• -out: This option provides the filename to write the newly created self-signed certificate to.
• cert.pem: This is the argument to the -out option; it indicates that we would like to save the certificate in a file called cert.pem. This certificate can then be shared with web clients attempting to communicate securely with our web server in order to invoke HTTPS.
• -days: The number of days that the certificate should be valid for.
• 365: This is the argument for the -days option. It is simply us saying that we would like the certificate to be valid for 365 days, or simply one year.