Simple steps to generate CSR using openssl with examples Table of Contents Steps involved to configure SSL Create the certificate signing request (CSR) Submit the request Download the certificate Install the certificate List of third party CA What is Certificate Signing Request (CSR)? Pre-requisites Generate CSR (Interactive) Generate CSR (Non-interactive) Verify Certificate Signing Request What’s Next Conclusion How to generate Certificate Signing Request using openssl in Linux. is it possible to generate CSR with openssl? Can we automate the steps to create Certificate Signing Request instead of interactive prompts? Do we need ssl.conf to generate CSR with openssl?

In this tutorial I will cover these questions and share the steps to generate CSR using openssl in Linux.

Steps involved to configure SSL You can either create your own CA certificate or you can send request to third party CA for certificates to be used by your application. One of the most common uses of certificates is to have the certificate installed on the web server for SSL, which encrypts traffic between the client and the server.

When configuring SSL on a web site, or applying certificates to any application, there are four major steps:

ALSO READ: Many people miss most important points when they are creating a CSR. If you are not sure about what should be added for individual fields then I would recommend to read this article before you generate CSR: Things to consider when creating CSR with OpenSSL

Create the certificate signing request (CSR) The first step is to create the certificate request, also known as the certificate signing request (CSR). You typically navigate to the web site of the CA to fill out a web form to create the request or create the request from the actual application. For example, Microsoft’s IIS and Exchange Server have wizards to create the certificate request. Once the request is made, it is stored in a text file. We will use openssl to generate CSR which can also be submitted to third party CA or can be used by your own CA certificates

Submit the request Once you have the CSR, you are then ready to submit the request (contents of the CSR) to the CA. For third part CA, you can do this by navigating to the CA’s web site. If you are using your own CA then this can be done using openssl

Download the certificate After submitting the request through the web site for third party CA, you need to download the resulting certificate to your computer. You typically are provided a link at the end of the “submit the request” phase to download the certificate. With openssl at the end of execution you will get your certificates based on the path provided.

Install the certificate Once you have the certificate, you can install it in your application.

List of third party CA The following are some Certificate Authorities:

CertiSign (Brazilian, part of VeriSign) Entrust IKS GmbH (German) Thawte (part of VeriSign) VeriSign All of these companies accept certificate-signing requests generated by the mod_ssl package, for use with Apache with mod_ssl.

What is Certificate Signing Request (CSR)? When you make your server key file and certificate, you also make a certificate-signing request. A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. The information required for this request must match exactly the Company Name, registered domain name, and other details that are required by the Certificate Authority, in order for them to process your request. The Company Name must match the FQDN of your server or else the certificate will throw name mismatch error or TLS handshake failure CSR also includes many other details related to your organization for which you are requesting the certificates The file is automatically encoded in a special format.

Pre-requisites I hope you have an overview of openssl and different terminologies using with certificates. Since I am using a Linux environment, I will use openssl to generate private key and CSR for this tutorial. openssl is installed by default in more Linux distributions. You can verify the same using

rpm -q openssl

openssl-1.1.1c-2.el8.x86_64 If it is not installed then based on your distribution you can install openssl package. I am using RHEL/CentOS so I will use yum to install opensll. For Ubuntu, Debian you can use apt-get

yum -y install openssl

IMPORTANT NOTE: Make sure you keep the private key which you will generate with your CSR. Your CSR will work only with this private key.

Generate CSR (Interactive) In this example I will show the interactive method which means you will be prompted to fill in the required data for CSR.

To generate a Certificate Signing request you would need a private key. Ideally I would use two different commands to generate each one separately but here let me show you single command to generate both private key and CSR

openssl req -new -newkey rsa:2048 -nodes -keyout ban27.key -out ban27.csr

In this example we are creating a private key (ban27.key) using RSA algorithm and 2048 bit size. Next we will use this ban27.key to generate our CSR (ban27.csr)

HINT: Here the private key is not encrypted, if you wish to have an encrypted private key then you can remove -nodes from this command and the command will prompt you to add passphrase for private key Snippet output from my terminal for this command

Here,

-newkey: This option creates a new certificate request and a new private key. rsa:2048: Generates RSA key with 2048 bit size -nodes: The private key will be created without any encryption -keyout: This gives the filename to write the newly created private key to -out: This specifies the output filename to write to or standard output by default. So our key and CSR are created:

ls -l ban27.*

-rw-r--r-- 1 root root 1078 Aug 10 08:21 ban27.csr -rw------- 1 root root 1704 Aug 10 08:20 ban27.key

Generate CSR (Non-interactive) In this example I will share non-interactive method to generate CSR which means you will not be prompted for any input.

Create a configuration file with the content required to generate CSR. I have created a sample file which you can use as template.

cat server_cert.cnf

[req] distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] C = IN ST = Karnataka L = Bengaluru O = GoLinuxCloud OU = R&D CN = ban27.example.com Next we will use the same command as earlier and add -config server_cert.cnf to make sure you are not prompted for any input.

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out ban27.csr -config server_cert.cnf

As expected this command didn't prompt for any input. We can use this for automation purpose. Below is a snippet from my terminal

Verify Certificate Signing Request Now since we have our CSR, we will verify the content of the certificate.

openssl req -noout -text -in ban27.csr

Certificate Request: Data: Version: 1 (0x0) Subject: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = ban27.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b9:de:b9:d5:6a:36:77:1e:72:76:28:09:5e:d5: 61:17:60:fc:ed:4d:b2:22:61:5d:24:16:88:6d:89: b5:ae:45:74:1f:39:f0:4f:bc:1c:07:f2:82:d6:4b: 10:29:05:15:e2:78:26:2c:82:e1:5e:c7:54:8f:94: eb:d0:79:80:43:d0:d8:9e:04:88:d6:d3:4c:c0:25: 61:f8:67:98:fb:17:cd:35:e5:d9:1f:d0:6f:83:2f: a2:82:9f:1d:aa:77:4f:7f:e8:50:ea:80:96:7d:31: a9:c3:16:6a:30:7e:8f:52:5a:8c:b6:62:97:d6:84: 17:19:f4:1c:95:39:94:c0:81:86:25:9b:85:50:65: c6:39 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 51:81:12:53:22:8e:92:3c:c0:7c:b6:dc:cc:ff:63:35:6a:24: 2d:3e:f2:1f:d0:df:bf:c8:73:02:ea:19:d5:ff:2d:b5:78:3d: b4:a7:43:3c:96:92:25:62:83:b1:9e:8c:81:33:92:0c:1f:83: 6e:50:bd:cd:69:2c:32:a9:9f:12:43:f8:de:6f:28:d1:4c:3d: 2e:b7:ac:f4:50:15:22:e2:5c:21:22:c9:e9:bc:e5:d2:f9:49: 10:c5:87:58:60:a1:da:64:aa:55:b6:06:2f:29:31:4e:b6:a7: b6:11:dd:31:ed:7c:32:dd:f3:2f:2f:0a:e3:37:b0:f4:b1:86:

What’s Next Now you can either submit this CSR to third party CA to get your certificates or if you want to sign these certificates using your own CA then:

Create your own Certificate Authority and sign a certificate with Root CA Create SAN certificate to use the same certificate across multiple clients

Conclusion In this tutorial I shared the steps to generate interactive and non-interactive methods to generate CSR using openssl in Linux. Once these CSR are generated, you can share it to your third party CA. To test your server, or to run your server internally in your organization, you can act as your own Certificate Authority and self-sign your certificate.

Lastly I hope the steps from the article to generate CSR on Linux was helpful. So, let me know your suggestions and feedback using the comment section.