OpenSSL Essentials: SSL Certificates, Private Keys and CSRs

OpenSSL is the command-line toolkit most administrators use to create keys, CSRs, and X.509 certificates, inspect PEM files, and convert formats for servers and clients. This tutorial collects practical openssl commands for RSA and elliptic-curve keys, CSRs with Subject Alternative Names (SANs), self-signed certificates, verification, live TLS checks with s_client, and PEM, DER, PKCS12, and PKCS7 workflows. It is written for operators who manage HTTPS on Linux servers, submit CSRs to public or private CAs, or troubleshoot handshake and trust problems.

How to Use This Guide:

• If you need background on CSRs, DN fields, and non-interactive -subj, start under What Is OpenSSL and Why It Matters for SSL/TLS Management and Creating Certificate Signing Requests (CSRs).
• Use Generating Private Keys with OpenSSL when you need new RSA or EC material, password protection, or a concise comparison of RSA 2048, RSA 4096, and P-256 curves.
• Jump to Creating Self-Signed Certificates for lab or internal TLS where browser trust is not required.
• Use Inspecting and Decoding Certificates, CSRs, and Keys, Verifying Certificate Validity and Expiry, and Testing Live TLS Connections with openssl s_client when validating files or remote services.
• Use Converting Certificate Formats when Windows, Java, or legacy apps require DER, PFX, or P7B bundles.
• Most commands use line continuation (\) for readability; you can paste them as multi-line blocks or join them into one line.

• Generate RSA keys with genrsa or genpkey, and EC keys with ecparam, including optional password encryption with AES-256.
• Build CSRs with -newkey, from an existing key, from an existing certificate, or from an OpenSSL config that carries SANs for DNS names and IP addresses.
• Issue self-signed certificates for non-production use, including SANs via -addext on OpenSSL 1.1.1 and newer.
• Inspect PEM-encoded certificates and CSRs, print RSA key structure with openssl rsa -text, and confirm that a key matches a cert or CSR using modulus hashes (RSA) or public key comparison (EC).
• Read notBefore and notAfter, verify a leaf against a CA file, and validate a chain with -untrusted intermediates per CA/Browser Forum Baseline Requirements practice.
• Debug live TLS with openssl s_client, including SNI, TLS 1.2 and TLS 1.3 probes (RFC 8446), and stapled OCSP status lines.
• Convert between PEM, DER, PKCS12 (PFX), and PKCS7 (P7B), including PKCS12 -legacy compatibility when older clients cannot read modern defaults.

OpenSSL ships by default on most Linux distributions and provides the openssl command for every file-based step in TLS certificate work: generating keys, building CSRs, signing certificates, inspecting PEM files, and converting between formats. Apache, NGINX, HAProxy, Postfix, and most Python and Node.js TLS libraries link against it directly, which means the same tool you use to issue a CSR also generates the keys those services consume in production.

OpenSSL’s Role in Certificate Workflows

Every TLS certificate moves through five stages: key generation, CSR creation, signing (by a public CA, internal CA, or self-signed), deployment to the consuming service, and renewal before expiry. OpenSSL provides a dedicated subcommand for each stage. The certificate format produced at the signing stage follows the X.509 profile defined in RFC 5280.

Private Key Generation
        |
        v
   CSR Creation
        |
        v
  CA Signing (or Self-Sign)
        |
        v
Certificate Deployment
        |
        v
  Renewal / Revocation

Key Concepts: Private Keys, CSRs, and Certificates Explained

Private key: A secret PEM or DER file that must stay on servers or HSMs you control. It signs proofs during TLS handshakes and must never be emailed, pasted into tickets, or checked into version control.

CSR (certificate signing request): A PEM-encoded PKCS#10 request that bundles your public key with a Distinguished Name (DN) and optional extensions (for example SANs). You send the CSR to a CA; the CA returns an identity-bound certificate without needing your private key.

Certificate: An X.509 public-key certificate (RFC 5280) that binds a subject name (and SAN entries) to a public key, carries validity dates, and may chain to a trusted root. Browsers and TLS clients use that binding during server authentication.

A Brief History of OpenSSL

OpenSSL traces its lineage to SSLeay, Eric Young’s SSL library from the 1990s, which formed the basis of the OpenSSL project’s first releases. The Heartbleed vulnerability disclosed in 2014 affected OpenSSL 1.0.1’s TLS heartbeat extension and prompted widespread coordination on patching, key rotation, and funding for maintenance. The OpenSSL Software Foundation now stewards the codebase. OpenSSL 3.0 released in September 2021 with a five-year LTS support window, followed by 3.1 (March 2023), 3.2 (November 2023), 3.3 (April 2024), and 3.4 (October 2024) on roughly annual cadences. OpenSSL 1.1.1 reached end of life in September 2023; production hosts should run 3.0 LTS or a newer maintained branch.

Private keys are the root of trust for your TLS identities. Generate them on trusted hosts, restrict file permissions (for example chmod 600 on key files), and store pass phrases outside configuration repositories when keys are encrypted.

Generate an RSA Private Key

This command writes an unencrypted 2048-bit RSA private key to a PEM file:

# genrsa: RSA key generation; -out sets the PEM path; 2048 selects the modulus size in bits
openssl genrsa -out domain.key 2048

Example output:

Generating RSA private key, 2048 bit long modulus
........................................................................+++++
............+++++
writing new private key to 'domain.key'

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out domain.key

Generate an EC (Elliptic Curve) Private Key

This command generates a P-256 (prime256v1) EC private key in PEM format:

openssl ecparam -genkey -name prime256v1 -noout -out ec.key

A P-256 EC key offers security comparable to RSA 3072 at a fraction of the byte size (256 bits vs 3072 bits). On modern x86 hardware, P-256 signing is roughly an order of magnitude faster than RSA 2048 signing, which reduces server CPU on high-handshake-rate workloads. Verification is the inverse (RSA verifies faster than P-256), but TLS servers sign once per handshake while clients verify, so the asymmetry favors EC at the server.

Generate a Password-Protected Private Key

This command creates a new 2048-bit RSA key encrypted with AES-256:

openssl genrsa -aes256 -out domain.key 2048

You enter a pass phrase when prompted. Older documentation often shows -des3; Triple-DES remains available for compatibility, but AES-256 is the better default for new keys.

This legacy invocation matches older tutorials and still works when you must match Triple-DES-encrypted PEM expectations:

openssl genrsa -des3 -out domain.key 2048

Encrypt an existing unencrypted key (same operation class as protecting material at rest):

openssl rsa -aes256 \
       -in unencrypted.key \
       -out encrypted.key

Triple-DES encryption for an existing RSA key matches the older openssl rsa -des3 pattern:

openssl rsa -des3 \
       -in unencrypted.key \
       -out encrypted.key

Decrypt an encrypted key (requires the pass phrase):

openssl rsa \
       -in encrypted.key \
       -out decrypted.key

RSA 2048 vs 4096 vs EC 256: When to Use Each

For real numbers on your hardware, run openssl speed rsa2048 rsa4096 ecdsap256. The relative ratios above hold on most x86_64 servers; absolute throughput depends on CPU, AES-NI availability, and cipher suite.

CSRs encode the subject, public key, and requested extensions so a CA can issue a certificate that matches your DNS names and identity checks.

About Certificate Signing Requests

If you obtain an SSL certificate from a public or private CA, you generate a CSR that contains your public key plus signing inputs the CA needs. Both components are incorporated into the issued certificate.

When you create a CSR interactively, OpenSSL prompts for a Distinguished Name (DN). The Common Name (CN) must match the primary hostname when SANs are absent; modern certificates should include SANs for every hostname clients will use.

Other DN fields identify your organization. Commercial CAs often require accurate legal names and locations.

Interactive prompts resemble:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Brooklyn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Brooklyn Company
Organizational Unit Name (eg, section) []:Technology Division
Common Name (e.g. server FQDN or YOUR name) []:examplebrooklyn.com
Email Address []:

To pass subject fields non-interactively, append the -subj option to any openssl req command:

openssl req \
    -newkey rsa:2048 -nodes -keyout domain.key \
    -out domain.csr \
    -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=examplebrooklyn.com"

See openssl-req for additional DN controls.

Generate a CSR and Private Key in One Command

Use this method when you need a new RSA key and CSR together for CA submission:

openssl req \
       -newkey rsa:2048 -nodes -keyout domain.key \
       -out domain.csr \
       -sha256

Complete the CSR prompts unless you also pass -subj.

Generate a CSR Using an Existing Private Key

Use this method when the key already exists and only the CSR is new:

openssl req \
       -key domain.key \
       -new -out domain.csr

Generate a CSR from an Existing Certificate and Private Key

Use this method when you renew or reissue and need a CSR that mirrors an existing certificate’s subject because the original CSR is missing:

openssl x509 \
       -in domain.crt \
       -signkey domain.key \
       -x509toreq -out domain.csr

Generate a CSR with a Config File (Including SANs)

This workflow keeps SANs out of interactive prompts and documents requested DNS names and addresses in one file.

1. Create san.cnf:

[req]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = dn
req_extensions     = req_ext

[dn]
C  = US
ST = New York
L  = Brooklyn
O  = Example Brooklyn Company
CN = examplebrooklyn.com

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = examplebrooklyn.com
DNS.2 = www.examplebrooklyn.com
IP.1  = 192.168.1.10

2. Generate the CSR:

openssl req \
    -new \
    -key domain.key \
    -out domain.csr \
    -config san.cnf

3. Confirm SANs:

openssl req -text -noout -in domain.csr | grep -A1 "Subject Alternative"

Single-command CSR with -addext (OpenSSL 1.1.1+):

openssl req \
    -newkey rsa:2048 -nodes -keyout domain.key \
    -out domain.csr \
    -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=examplebrooklyn.com" \
    -addext "subjectAltName=DNS:examplebrooklyn.com,DNS:www.examplebrooklyn.com"

Self-signed certificates encrypt TLS channels but are not anchored in public trust stores. Use them for development, administrative interfaces, or private networks where you distribute your own roots.

Generate a Self-Signed Certificate from a New Key

This command creates a new RSA key and a self-signed certificate:

openssl req \
       -newkey rsa:2048 -nodes -keyout domain.key \
       -x509 -days 365 -out domain.crt

Generate a Self-Signed Certificate from an Existing Private Key

This command generates a self-signed certificate from a private key you already have, prompting for subject details unless you add -subj:

openssl req \
       -key domain.key \
       -new \
       -x509 -days 365 -out domain.crt

Generate a Self-Signed Certificate from an Existing Private Key and CSR

openssl x509 \
       -signkey domain.key \
       -in domain.csr \
       -req -days 365 -out domain.crt

Generate a Self-Signed Certificate with SANs

Modern TLS clients expect SAN entries even when the certificate is self-signed:

openssl req \
    -newkey rsa:2048 -nodes -keyout domain.key \
    -x509 -days 365 -out domain.crt \
    -subj "/CN=examplebrooklyn.com" \
    -addext "subjectAltName=DNS:examplebrooklyn.com,DNS:www.examplebrooklyn.com"

Deploy the Certificate to a Web Server

After generating a key and certificate, place them where your web server can read them, set permissions correctly, and reload the service.

Standard file layout on Linux:

sudo mv domain.crt /etc/ssl/certs/domain.crt
sudo mv domain.key /etc/ssl/private/domain.key
sudo chmod 644 /etc/ssl/certs/domain.crt
sudo chmod 600 /etc/ssl/private/domain.key
sudo chown root:root /etc/ssl/certs/domain.crt /etc/ssl/private/domain.key

Reload NGINX after pointing the config at the new files:

sudo nginx -t && sudo systemctl reload nginx

Reload Apache:

sudo apachectl configtest && sudo systemctl reload apache2

Use these commands to read the content of a certificate, CSR, or private key without converting the file first.

View the Contents of a Certificate

This command prints the decoded X.509 fields for inspection per RFC 5280 profile:

openssl x509 -text -noout -in domain.crt

Truncated example:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ...
        Issuer: CN = Example CA
        Validity
            Not Before: Jan  1 00:00:00 2026 GMT
            Not After : Dec 31 23:59:59 2027 GMT
        Subject: CN = examplebrooklyn.com
        ...
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:examplebrooklyn.com, DNS:www.examplebrooklyn.com

Decode and View CSR Details

openssl req -text -noout -verify -in domain.csr

Example snippet:

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, ST = New York, L = Brooklyn, O = Example Brooklyn Company, CN = examplebrooklyn.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:examplebrooklyn.com, DNS:www.examplebrooklyn.com

View a Private Key’s Details

For RSA keys:

openssl rsa -text -noout -in domain.key

For EC keys, swap rsa for ec:

openssl ec -text -noout -in ec.key

Validate an RSA key file without printing full structure:

openssl rsa -check -in domain.key

Encrypted keys prompt for a pass phrase; success confirms the PEM parses.

Verify That a Private Key Matches a Certificate and CSR

These commands compare RSA modulus digests so you can confirm one key belongs to one certificate and CSR:

openssl rsa -noout -modulus -in domain.key | openssl md5
openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl req -noout -modulus -in domain.csr | openssl md5

Matching MD5 lines imply the same RSA key pair underlies each artifact.

openssl ec -pubout -in ec.key | openssl md5
openssl x509 -pubkey -noout -in domain.crt | openssl md5

Run these commands to confirm a certificate is within its validity window and that it chains to a CA you trust. The openssl verify command checks the chain against the file or directory you pass via -CAfile or -CApath, not against the system trust store used by browsers.

Check a Certificate’s Expiry Date

openssl x509 -enddate -noout -in domain.crt

Example:

notAfter=Dec 31 23:59:59 2027 GMT

Both endpoints:

openssl x509 -dates -noout -in domain.crt

Verify a Certificate Against a CA Bundle

openssl verify -verbose -CAfile ca.crt domain.crt

Exit code 0 means OpenSSL built a path to a trusted anchor consistent with RFC 5280 processing rules. Failure example:

CN = wrong.example.com
error 62 at 0 depth lookup: Hostname mismatch
domain.crt: verification failed

Verify a Full Certificate Chain

openssl verify -CAfile ca-chain.pem -untrusted intermediate.pem domain.crt

Place intermediates in -untrusted when verifying how browsers would chain signed TLS certificates. Public CAs must issue subscriber certificates that conform to CA/Browser Forum Baseline Requirements, including correct chaining practices.

Use openssl-s_client to reproduce client-side handshakes without a browser.

Connect to a Remote Server and Inspect Its Certificate

openssl s_client -connect example.com:443 -servername example.com

Truncated output excerpt:

CONNECTED(00000003)
---
Certificate chain
 0 s:CN = example.com
   i:C = US, O = Example CA, CN = Example Intermediate
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = example.com
issuer=C = US, O = Example CA, CN = Example Intermediate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Test Specific TLS Protocol Versions

# Test TLS 1.2
openssl s_client -connect example.com:443 -tls1_2

# Test TLS 1.3
openssl s_client -connect example.com:443 -tls1_3

If the server lacks support for the selected version, the handshake fails quickly. Treat that as a capability signal, not necessarily a production defect.

Check OCSP Stapling and Certificate Revocation

openssl s_client -connect example.com:443 -status 2>/dev/null | grep -A 17 'OCSP response:'

OCSP stapling lets the server attach a fresh revocation proof during the TLS handshake. If you see OCSP response: no response sent, the server chose not to staple, which is common and not automatically an error.

Diagnose Common TLS Errors with s_client

Three handshake failures account for most production TLS issues. Each one shows up in distinct s_client output.

Hostname mismatch. The certificate’s SAN list does not include the hostname you connected to:

verify error:num=62:Hostname mismatch

Re-issue the certificate with the correct SAN entries, or connect with the hostname that is actually in the SAN list.

Expired certificate or chain element:

verify return code: 10 (certificate has expired)

Inspect every certificate the server presents, including intermediates. The pipeline below splits the chain into individual files and prints the subject and expiry date for each:

openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null \
  | awk '/BEGIN CERTIFICATE/{n++} n{print > ("/tmp/cert-" n ".pem")}' \
  && for f in /tmp/cert-*.pem; do openssl x509 -subject -enddate -noout -in "$f"; done \
  && rm /tmp/cert-*.pem

The awk step writes each PEM block to a numbered file under /tmp/, the for loop prints subject and notAfter per certificate, and the final rm cleans up the temporary files. This pipeline uses only POSIX awk and runs on Linux, macOS, and BSD.

Untrusted intermediate (server sent leaf only):

verify return code: 21 (unable to verify the first certificate)

The server is not bundling the intermediate. For NGINX, concatenate the leaf and the intermediate into one file and point ssl_certificate at it:

cat domain.crt intermediate.crt > fullchain.crt

Test mutual TLS (client certificate authentication):

openssl s_client \
    -connect example.com:443 \
    -cert client.crt \
    -key client.key

Use this when the server requires a client certificate. A server that requires mTLS but receives no client cert closes the handshake with tlsv13 alert certificate required.

Format Overview and Conversion Paths

Convert PEM to DER

openssl x509 \
       -in domain.crt \
       -outform der -out domain.der

Convert DER to PEM

This command converts a binary DER-encoded certificate back to a PEM-encoded file:

openssl x509 \
       -inform der -in domain.der \
       -out domain.crt

Convert PEM to PKCS12 (PFX)

Full export with CA chain:

openssl pkcs12 \
    -export \
    -inkey domain.key \
    -in domain.crt \
    -certfile ca-chain.pem \
    -out domain.pfx

Minimal export without separate chain file (still valid when the leaf PEM already includes intermediates concatenated):

openssl pkcs12 \
       -inkey domain.key \
       -in domain.crt \
       -export -out domain.pfx

You may leave export passwords blank when tooling permits.

Convert PKCS12 to PEM

openssl pkcs12 \
       -in domain.pfx \
       -nodes -out domain.combined.crt

Convert PEM to PKCS7 (P7B)

openssl crl2pkcs7 -nocrl \
       -certfile domain.crt \
       -certfile ca-chain.crt \
       -out domain.p7b

Convert PKCS7 to PEM

openssl pkcs7 \
       -in domain.p7b \
       -print_certs -out domain.crt

The openssl version command reports your binary version and build-time options, which affect feature availability.

openssl version -a

Example OpenSSL 3.x output:

OpenSSL 3.0.13 30 Jan 2024
built on: Wed Apr 10 12:00:00 2024 UTC
platform: linux-x86_64
compiler: gcc ...
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
Seeding source: os-specific

OpenSSL 1.0.x and 1.1.x branches are end of life upstream; production hosts should run maintained OpenSSL 3.x releases supplied by your OS vendor or follow the OpenSSL release strategy if you build from source.

OpenSSL remains the default toolkit on most Linux servers and the widest documented surface for file-based PKI. Alternative libraries exist because vendors optimize for different constraints: licensing, code review surface, API stability, or memory safety guarantees.

When to Consider an Alternative

Choose BoringSSL when you ship software that must track Google’s TLS expectations or reuse Chromium networking stacks. Pick LibreSSL when your platform standardizes on OpenBSD releases and you accept a divergent command-line tool in some distributions. Prefer Rustls when you write Rust services and want a pure-Rust TLS implementation without OpenSSL linkage. Stay on OpenSSL for everyday Linux server certificate tasks, because documentation, distribution packages, and third-party integrations assume it.

Manual renewal works for one or two servers. Beyond that, automate it. Two paths cover most deployments.

ACME automation with Certbot for public certificates from Let’s Encrypt or any ACME-compatible CA:

sudo certbot renew --dry-run

A successful dry run confirms that the systemd timer or cron job Certbot installs at setup will renew certificates before expiry. Confirm the timer is active:

sudo systemctl list-timers | grep certbot

Custom renewal script for internal CAs or certificates outside ACME. The script should:

1. Generate a CSR from the same san.cnf used during issuance
2. Submit the CSR to your CA endpoint or signing tool
3. Atomically replace the certificate file in /etc/ssl/certs/
4. Reload the consuming service after a successful config test
5. Send a notification on success or failure

Run the script from a systemd timer rather than cron when possible. systemd timers log to the journal, support service dependencies, and can retry on transient failure.

Monitor expiry independently of the renewal job. A mismatched timer or a script that fails silently still leaves you with an expired certificate. A weekly cron job that pipes openssl x509 -enddate -noout output into your alerting pipeline catches the case where automation broke without anyone noticing.

How do I generate a CSR using an existing private key instead of creating a new one?

Run openssl req with -key pointing at your PEM key and -new to emit a CSR file:

openssl req -key existing.key -new -out request.csr

Add -subj or -config when you want to skip prompts or attach SANs.

How do I add Subject Alternative Names (SANs) to a CSR?

Place SANs under [req_ext] in an OpenSSL config referenced by -config, or pass -addext 'subjectAltName=DNS:example.com,DNS:www.example.com' on OpenSSL 1.1.1 or newer:

openssl req -new -key domain.key -out domain.csr -config san.cnf

Confirm with openssl req -text -noout -in domain.csr.

How do I check when an SSL certificate expires?

Print the notAfter field:

openssl x509 -enddate -noout -in domain.crt

Use -dates when you need both notBefore and notAfter.

How do I verify that a private key matches a certificate?

For RSA, compare modulus hashes:

openssl rsa -noout -modulus -in domain.key | openssl md5
openssl x509 -noout -modulus -in domain.crt | openssl md5

Identical lines confirm the same key pair.

How do I decode and read the contents of a CSR?

Use req -text with -verify to validate structure:

openssl req -text -noout -verify -in domain.csr

SANs and the subject DN appear in the decoded text.

How do I convert a PEM certificate to PFX/PKCS12 format?

Export with pkcs12 -export, referencing the key, leaf cert, and optional chain:

openssl pkcs12 -export -inkey domain.key -in domain.crt -certfile ca-chain.pem -out domain.pfx

Add -legacy if an older importer rejects OpenSSL 3 defaults.

What is the difference between RSA 2048 and RSA 4096 for a private key?

RSA 4096 uses a larger modulus than RSA 2048, which increases asymmetric work during handshakes while offering additional security margin under classical threat models. RSA 2048 remains the common default for public TLS certificates today; choose RSA 4096 when policy explicitly requires it.

How do I use openssl s_client to test a live TLS connection?

Open a client connection and print negotiated parameters:

openssl s_client -connect example.com:443 -servername example.com

Append -tls1_2 or -tls1_3 to narrow protocol probes, and -showcerts to dump PEM chains.

This tutorial walked through OpenSSL workflows spanning RSA and EC private keys, CSR creation with SANs via config files and -addext, three patterns for self-signed certificates plus SAN coverage, PEM inspection commands, modulus matching checks, scheduled expiry queries, CA bundle verification, chain validation with intermediates, live TLS probing with openssl s_client, and conversions among PEM, DER, PKCS12, and PKCS7 containers.

You can now provision keys safely, submit CSRs that reflect modern hostname rules, validate certificates before enabling HTTPS, diagnose handshake behavior against remote ports, and export bundles for mixed Linux and Windows environments while accounting for OpenSSL 3 PKCS12 defaults.

Continue by automating issuance with Let’s Encrypt or your own CA, hardening web server TLS configurations, and linking application databases that require mutual TLS. Useful next reads:

• How To Secure Nginx with Let’s Encrypt on Ubuntu 22.04
• How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 22.04
• How To Set Up and Configure a Certificate Authority (CA) on Ubuntu 22.04
• How To Secure Apache with Let’s Encrypt on Ubuntu 22.04
• How To Configure SSL/TLS for MySQL on Ubuntu 18.04