I first came across OpenSSL when I first started work at Motorola in Perth, Western Australia. In their own words, the OpenSSL project:

Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

Once installed, we can use OpenSSL to generate a chain of X.509 certificates. To this, a self-signed certificate must first be generated. This will become the root certificate.

1. First, create a private key.

   openssl genrsa > [root key file]

2. Generate the self signed certificate.

   openssl req -x509 -key [key file] -new -out [cert file]

Now that we have the first certificate in the chain, we can generate the other certificates in the chain.

1. Create a key for the certificate.

   openssl genrsa > [root key file]

2. Generate a certificate signing request (CSR) for the certificate.

   openssl req -new -key [key file] -out [request file]

3. Sign the CSR with the root certificate.

   openssl x509 -CAkey [root key file] \
   -CA [root certificate file] \
   -CAcreateserial -req \
   -in [certificate signing request] \
   -out [output certificate]

Following the these steps will give you a chain of two certificates. You generate a longer chain by generating keys and certificate signing requests for each of the certificates and then signing them, as just above. The only difference is that, in the final step, you have to substitute the root key file and root certificate file with the certificate’s issuer key and certificate file.

Once the certificates are generated, you can have a look back at the contents of the certificates, by using the following commands:
openssl x509 -text -noout -in [certificate file]

There is a whole bunch of other things that we can do with OpenSSL, but I’ll leave that for another time!