To add HTTPS to a website we need to get certificate. Certificate authorities like Comodo, DigiCert and Symantec issue a certificate for a given domain name. For certificate authorities to issue a certificate they need “Certificate Signing Request (CSR)”. CSR is a file which contains details like country, location and common name (domain) for which certificate is required. Once CSR file is passed to Certificate Authority (CA) the validate the authenticity of details and issue the certificate.
To generate certificate singing request or CSR we need command private key of website for which we need certificate. The command openssl is used to create CSR
Certificate are used in HTTPS or public key cryptography so that client or receiver can verify the public key is from expected source but not from impostor. Since client(browser) trusts CA who issues certificate, it trusts the certificate of website. It is also called of chain of trust
Certificate are used to certify the ownership of public key.
Creating certificate signing request (CSR) is the second step to enable HTTPS for a website.
- Create public/private key pair
- Create Certificate Signing Request (CSR)
- Provide CSR Data to Certificate Authority (CA) for validation
- CA issues certificate
- Configure web servers like Apahce and Nginx to use Certificate
If there is no private key. Generate private key using following command
$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -out domain-keypair.pem
or if you don’t mind about all other options, simply use the following command
$ openssl genrsa -out domain-keypair.pem 2048
Generate CSR file using private key
openssl req -new -key domain-keypair.pem -out domain.csr
You can combine above both steps. That is, creating private key with CSR is possible with following command
$ openssl req -new -newkey rsa:2048 -keyout domain-keypair.pem -out domain.csr
Same command with out DES encoding
openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr
Details of certificate signing request (CSR) can be displayed in human readable format using following command
$ openssl req -in domain.csr -text -noout
Where,
-in domain.csr is the input CSR file
-text will display signing request in pretty human readable format
-noout will not append encoded CSR in output
Some of the popular certificate authorities are
Symantec | Comodo |
DigiCert | GoDaddy |
GlobalSign | Thawte |
What you are looking is not the certificate singing request but the self signing certificate. Use the following command to create certificate signed with given key
openssl req -new -x509 -key cakey.pem -out cert.pem -days 365
Replace parameters options -key -out and -days appropriate values that suites your situation. As shown in above “openssl req -new” command passing command line option -x509 will produce certificate instead of signing request. After running above command you will prompted to enter Country, State, and Common Name etc. Enter appropriate values to proceed
Common Name is typically the domain name
By default “openssl req” command prompts for different fields for CSR or certificate. Certificate signing request can be generated in non-interactive manner to automate the process using either of following methods
- Generate CSR non-interactively by passing fields as options
- Generate CSR using config file
Generate CSR non-interactively
An example of command with all necessary fields passed through -subj option
openssl req -new -key domain-keypair.pem -out domain.csr -subj "/C=GB/ST=London/L=London/O=getKT/OU=ICT/CN=example.com"
Generate CSR using config file
Command to generate CSR using config file
openssl req -new -key domain-keypair.pem -out domain.csr -config domain-csr.conf
Typical format of config file to pass information to generate CSR is as follows
[req]
default_bits = 2048
distinguished_name = req_dn
prompt = no
[req_dn]
C="GB"
ST="London"
L="London"
O="getKT"
OU="ICT"
emailAddress="name@mail.com"
CN="example.com"
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.0 = *.exmaple.com
Where,
[req] | options for req |
[req_ext] | is used for -extensions |
Describing each option
C | Country |
ST | State |
L | Loction |
O | Organization |
OU | Organizational Unit |
CN | Common Name |
Check the information using OpenSSL
Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
Check a private key and verify the SSL key consistency
openssl rsa -in privateKey.key -check
Check a certificate
openssl x509 -in certificate.crt -text -noout
Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12
Leave a Reply