Public,Private key pair and Certificate

Public key and Private key

What is public/private key pair

These are two mathematically related keys. Private/Public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key. It means,

“ Whatever is encrypted with a Public Key may only be decrypted by its corresponding Private Key and vice versa”

Public key is available to everyone via a publicly accessible repository or directory. Private Key must remain confidential to its respective owner.

Generate public/private key pair

You can use openssl tool to generate public/private key pair

# command
openssl genrsa -out <key-pair name> <key length>
# example
openssl genrsa -out 2048

Following is the output of this command

generate key pair

This command will generate a key pair. key is the generated key pair

generated key pair

Public key Certificate

What is certificate

Public key certificate(identifies as digital certificate or identity certificate) is an electronic document used to identify an individual, a server, a company, or some other entity and to associate that identity with a public key(It simply means public key certificate uses to identifies the individuals)

Digital certificate issued by Certification Authorities (CA). A CA fulfil the role of the Trusted Third Party. Following are some content of the public key certificate

  • Serial Number: Used to uniquely identify the certificate
  • Subject: The person, or entity identified
  • Signature Algorithm: The algorithm used to create the signature
  • Signature: The actual signature to verify that it came from the issuer
  • Issuer: The entity that verified the information and issued the certificate
  • Valid-From: The date the certificate is first valid from
  • Valid-To: The expiration date
  • Key-Usage: Purpose of the public key (e.g. encipherment, signature, certificate signing…)
  • Public Key: The public key
  • Thumbprint Algorithm: The algorithm used to hash the public key certificate
  • Thumbprint (also known as fingerprint): The hash itself, used as an abbreviated form of the public key certificate

How to obtain certificate?

To obtain a certificate you first need to generate certificate signing request(CSR). The CSR is an object which contains a name and a public key, which you send to a CA. The CA will build the certificate (and then sign it), putting in it the relevant data(it will put the public key which you sent as part of the request)

Generate CSR

Following is the command to generate a CSR

# command
openssl req -new -sha256 -key <key name> -out <csr name>
# example
openssl req -new -sha256 -key -out

This command will prompt for several inputs. You have to fill those in order to generate the CSR. Following is an example out put of generating CSR

generating CSR is is the generated CSR

Generated CSR

View content of CSR

You can view the content of the CSR by using following command

# command
openssl req -text -in <csr name> -noout
# example
openssl req -text -in -noout

Following is the output

CSR content

Following are some commands that can be used to find various type of informations of a CSR

# view public key of CSR
openssl req -in -noout -pubkey
# verify CSR
openssl req -in -noout -verify
# view subject(details of the individual)
openssl req -in -noout -subject

Now you can submit this CSR to certificate authority. Depending on what CA you want to use, there will be different ways to send them your CSR: using a form on their web site, sending it by email, or something else.

Send the CA your CSR, and follow their instructions to receive your final certificate or certificate chain.

Self Sign certificate

It is a certificate that is signed by itself rather than a trusted third party(CA). If simply says it signed by its own creator. This certificates are considered to be less trustworthy.

You can use previously generated key-pair and CSR to obtain self signed certificate

# command 
openssl req -x509 -days <valid period> -key <key-pair name> -in <csr name> -out <new certificate name>
# example
openssl req -x509 -days 365 -key -in -out certificate.pem

Following is the output of above command

generate self-signed certificate
Like what you read? Give λ.eranga a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.