In order to expose HTTPS services one needs to provide an X509 certificate signed by a certificate authority (CA). Several trusted CAs are globally available and their public keys are by default configured in browsers. Hence, when the browser talks to linkedin.com, for example, it can check whether the LinkedIn’s certificate isn’t forged by verifying its signature against the associated CA’s configured public key. This way, the browser makes sure it communicates with the right service.

The operations required to create, store and convert X509 keys and certificates are not only quite complex but also repetitive, hence this memento of how to do it.