The OpenSSL Project has developed a open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security TLS (v1) protocols as well as a full-strength general purpose cryptography library.

OpenSSL is based on the SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

The OpenSSL toolkit can be used to generate the keys that a web server (e.g. Apache) needs to encrypt the data sent between the client (browser) and the web server.
A simple overview of this process can be found here below:
  • A client browser connects to the Apache HTTP server via a Web request.

  • The browser asks to start a secure session with the server.

  • The server returns the site's certificate (= mobilefish.com_cert.pem) which also includes the server public key.

  • The browser analyzes the certificate and informs the user about its validity (e.g., was it issued by a recognized, trusted certificate authority?).

  • The browser creates a session key, which is encrypted with the server's public key, which is then sent to the server. This public or asymmetric key is generally 1024 bits. Much stronger public keys of 2048 bits could be provided but, perhaps for performance reasons, these are not in general use.

  • The server then decrypts this information using its private key (mobilefish.com_key.pem).

  • Both the browser and the server now are using the same session key. This is a symmetric key used to encrypt and decrypt data exchanged by the browser and server. Browsers and servers usually negotiate the strongest mutually supported session. This means that if the user's browser and your Web server both support 128-bit SSL sessions, a 128-bit session is established. If the user's browser only supports 40-bit SSL sessions, then a 40-bit session is established even if your Web server supports 128-bit sessions.

More information about the OpenSSL Project can be found at:

The latest OpenSSL version (no binary distributions) can be downloaded from:

Links to OpenSSL binary distributions can be found at:

Create a Root Certification Authority (CA) certificate.


Operating system used
Windows XP Home Edition Version 5.1 SP 2

Software prerequisites
OpenSSL v0.9.7d or higher
ActivePerl v5.8.4 or higher

  1. Open a dos window and goto OpenSSL bin directory:
    e.g.: cd C:\Tools\openssl\bin

  2. To create a CA, run the perl script:
    C:\Tools\OpenSSL\bin>perl -newca

    You should see and do the following:

    CA certificate filename (or enter to create) Press Enter Key

    Making CA certificate ...
    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key
    writing new private key to './demoCA/private/cakey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase: mycasecret
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a
    Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]:NL
    State or Province Name (full name) [Some-State]:Noord-Holland
    Locality Name (eg, city) []:Zaandam
    Organization Name (eg, company) [Internet Widgits Pty Ltd]
    Organizational Unit Name (eg, section) []:Certification Services
    Common Name (eg, YOUR name) [] CA
    Email Address []:

    Line Remark
    CA certificate filename Specify a filename or press enter key.
    PEM pass phrase This password is needed to gain access to the CA private key and with this key you can later sign certificates.
    Country Name The two-letter ISO 3166 abbreviation for your country.
    State or Province Name The state or province where your organization is legally located. Do not abbreviate.

    In this example: Noord-Holland
    Locality Name The city where your organization is legally located. Do not abbreviate.

    In this example: Zaandam
    Organization Name The exact legal name of your organization. Do not abbreviate your organization name.

    In this example:
    Organizational Unit Name Section of the organization. has an organizational unit called Certification Services.
    Other examples of sections are Marketing, Research and Development, Human Resources or Sales.
    Common Name is also a CA.

    In this example CA will be used.
    Email Address Enter your organization general email address.

    In this example

  3. When this script is finished the directory ..\OpenSSL\bin\demoCA is created containing the following files:

    • ..\OpenSSL\bin\demoCA\cacert.pem
      This file represents the CA certificate which also contains the public key. It is used to verify the user certificates signed by the private CA key.

    • ..\OpenSSL\bin\demoCA\private\cakey.pem
      This file represents the private CA key and is used to sign a user certificate request.

  4. Extend the CA expiry date with e.g. 20 years (20x365=7300):

    C:\Tools\OpenSSL\bin>openssl x509 -in demoCA/cacert.pem -days 7300 -out cacert.pem -signkey demoCA/private/cakey.pem

    You should see and do the following:

    Loading 'screen' into random state - done
    Getting Private key
    Enter pass phrase for demoCA/private/cakey.pem:

  5. Copy the file C:\Tools\OpenSSL\bin\cacert.pem into folder C:\Tools\OpenSSL\bin\demoCA\cacert.pem