Generating a certificate signing request (CSR)

MOVED to/MAINTAINED @: https://cryp7.net/2015/howto-generate-a-CSR/


My notes on generating private keys and CSR’s. (that I never remember)

Used with, for example, a new HTTPS server.

!!!!!WARNING DEPRECATED!!!!!

  • subjectAltName must always be used (RFC 2818 4.2.1.7, 1. paragraph)
  • CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software.
  • As of chrome 58+ this is why you will have problems!!!! (So just use: https://medium.com/@enkaskal/san-csr-ace965265e17)

Simultaneous key and request generation

# openssl req -newkey rsa:4096 -nodes -keyout cryp7.net.key -out cryp7.net.csr -days 365

N.B. -nodes places an unencrypted copy of the private key in the server’s key file. This is typically used so that the sysadmin doesn’t need to type in the password when restarting apache; for example.

!!!You should secure this with restrictive permissions at a minimum!!!

Answer the prompts noting: 1. CN or Common Name section is the name of the server (e.g. cryp7.net) 2. extra attributes (namely challenge password and optional company name) can be ignored by using the enter (return) key

Setting permissions on the new key

# chown root:root cryp7.net.key
# chmod 0400 cryp7.net.key

Generate a CSR using an existing key

Used, for example, to sign your own intermediate CA certificate

# openssl req -new -config openssl.cnf -key private/vpn.ca.key -out vpn.ca.csr -days 1825

N.B. since you’re specifying the openssl.cnf, all prompts should all be defaulted as desired.

Request signing

Now send off the server.csr to your CA.

N.B. once sent, the CSR is no longer needed.

Prepare a PKCS#12 file

Combines the public and private key in an encrypted format (symmetrical) for use with email clients, etc.

Before 2011–02–19 (needs the CA cert)

# openssl pkcs12 -export -in my.crt -inkey my.key -in root.pem -out my.p12

On or after 2011–02–19 (doesn’t need CA cert)

# openssl pkcs12 -export -in my.crt -inkey my.key -out my.p12

See Also

References

Like what you read? Give Stefan Schwoegler a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.