How to create a certificate signing request using OpenSSL

To add HTTPS to a website we need to get certificate. Certificate authorities like Comodo, DigiCert and Symantec issue a certificate for a given domain name. For certificate authorities to issue a certificate they need “Certificate Signing Request (CSR)”. CSR is a file which contains details like country, location and common name (domain) for which certificate is required. Once CSR file is passed to Certificate Authority (CA) the validate the authenticity of details and issue the certificate.

To generate certificate singing request or CSR we need command private key of website for which we need certificate. The command openssl is used to create CSR

Certificate are used in HTTPS or public key cryptography so that client or receiver can verify the public key is from expected source but not from impostor. Since client(browser) trusts CA who issues certificate, it trusts the certificate of website. It is also called of chain of trust

Certificate are used to certify the ownership of public key.

Creating certificate signing request (CSR) is the second step to enable HTTPS for a website.

  • Create public/private key pair
  • Create Certificate Signing Request (CSR)
  • Provide CSR Data to Certificate Authority (CA) for validation
  • CA issues certificate
  • Configure web servers like Apahce and Nginx to use Certificate

If there is no private key. Generate private key using following command

$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -out domain-keypair.pem

or if you don’t mind about all other options, simply use the following command

$ openssl genrsa -out domain-keypair.pem  2048

Generate CSR file using private key

openssl req -new -key domain-keypair.pem   -out domain.csr

You can combine above both steps. That is, creating private key with CSR is possible with following command

$ openssl req -new -newkey rsa:2048 -keyout domain-keypair.pem -out domain.csr

Same command with out DES encoding

openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr

Details of certificate signing request (CSR) can be displayed in human readable format using following command

$ openssl req -in domain.csr -text -noout

Where,
-in domain.csr is the input CSR file
-text will display signing request in pretty human readable format
-noout will not append encoded CSR in output

Some of the popular certificate authorities are

SymantecComodo
DigiCertGoDaddy
GlobalSignThawte
Certificate Authorities

What you are looking is not the certificate singing request but the self signing certificate. Use the following command to create certificate signed with given key

openssl req -new -x509 -key cakey.pem -out cert.pem -days  365 

Replace parameters options -key -out and -days appropriate values that suites your situation. As shown in above “openssl req -new” command passing command line option -x509 will produce certificate instead of signing request. After running above command you will prompted to enter Country, State, and Common Name etc. Enter appropriate values to proceed

Common Name is typically the domain name

By default “openssl req” command prompts for different fields for CSR or certificate. Certificate signing request can be generated in non-interactive manner to automate the process using either of following methods

  • Generate CSR non-interactively by passing fields as options
  • Generate CSR using config file

Generate CSR non-interactively

An example of command with all necessary fields passed through -subj option

openssl req -new -key domain-keypair.pem -out domain.csr -subj "/C=GB/ST=London/L=London/O=getKT/OU=ICT/CN=example.com"

Generate CSR using config file

Command to generate CSR using config file

openssl req -new -key domain-keypair.pem -out domain.csr  -config domain-csr.conf 

Typical format of config file to pass information to generate CSR is as follows

[req]
default_bits = 2048
distinguished_name = req_dn
prompt             = no

[req_dn]
C="GB"
ST="London"
L="London"
O="getKT"
OU="ICT"
emailAddress="name@mail.com"
CN="example.com"

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.0 = *.exmaple.com

Where,

[req]options for req
[req_ext]is used for -extensions

Describing each option

CCountry
STState
LLoction
OOrganization
OUOrganizational Unit
CNCommon Name

Check the information using OpenSSL

Check a Certificate Signing Request (CSR)

openssl req -text -noout -verify -in CSR.csr 

Check a private key and verify the SSL key consistency

openssl rsa -in privateKey.key -check


Check a certificate

openssl x509 -in certificate.crt -text -noout


Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keyStore.p12
Default image
neotam
Naveen T aka neotam. Programming language agnostic, Software architect, Python expert, Networking & DevOps engineer & consultant with 7+ years of experience in creating serious web applications, real time event-driven non blocking applications and database driven applications ranging from small scale to enterprise grade. website
Leave a Reply