Generating a certificate signing request (CSR)
MOVED to/MAINTAINED @: https://cryp7.net/2015/howto-generate-a-CSR/
My notes on generating private keys and CSR’s. (that I never remember)
Used with, for example, a new HTTPS server.
- subjectAltName must always be used (RFC 2818 184.108.40.206, 1. paragraph)
- CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software.
- As of chrome 58+ this is why you will have problems!!!! (So just use: https://medium.com/@enkaskal/san-csr-ace965265e17)
Simultaneous key and request generation
# openssl req -newkey rsa:4096 -nodes -keyout cryp7.net.key -out cryp7.net.csr -days 365
N.B. -nodes places an unencrypted copy of the private key in the server’s key file. This is typically used so that the sysadmin doesn’t need to type in the password when restarting apache; for example.
!!!You should secure this with restrictive permissions at a minimum!!!
Answer the prompts noting: 1. CN or Common Name section is the name of the server (e.g. cryp7.net) 2. extra attributes (namely challenge password and optional company name) can be ignored by using the enter (return) key
Setting permissions on the new key
# chown root:root cryp7.net.key
# chmod 0400 cryp7.net.key
Generate a CSR using an existing key
Used, for example, to sign your own intermediate CA certificate
# openssl req -new -config openssl.cnf -key private/vpn.ca.key -out vpn.ca.csr -days 1825
N.B. since you’re specifying the openssl.cnf, all prompts should all be defaulted as desired.
Now send off the server.csr to your CA.
N.B. once sent, the CSR is no longer needed.
Prepare a PKCS#12 file
Combines the public and private key in an encrypted format (symmetrical) for use with email clients, etc.
Before 2011–02–19 (needs the CA cert)
# openssl pkcs12 -export -in my.crt -inkey my.key -in root.pem -out my.p12
On or after 2011–02–19 (doesn’t need CA cert)
# openssl pkcs12 -export -in my.crt -inkey my.key -out my.p12