Generating a CSR
-
Download OpenSSL binaries from the following link if you are using windows:
-
Create a domain.cnf file using the following template:
[ req ] default_bits = 2048 default_keyfile = private.pem distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only [ subject ] countryName = Country Name (2 letter code) countryName_default = <2_LETTER_COUNTRY_CODE> stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = <STATE_NAME> localityName = Locality Name (eg, city) localityName_default = <CITY_NAME> organizationName = Organization Name (eg, company) organizationName_default = <ORGANIZATION_NAME> organizationalUnitName = Organizational Unit (eg, section) organizationalUnitName_default = <ORGANIZATIONAL_UNIT> commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = <YOUR_NAME> emailAddress = Email Address emailAddress_default = <YOUR_EMAIL_ADDR> # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:false keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alternate_names nsComment = "Self-signed Certificate" # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:false keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alternate_names nsComment = "Private Certificate" [ alternate_names ] DNS.1 = <DNS_1> # Add more DNS by incrementing the DNS.<SUFFIX> like the following. # DNS.2 = <DNS_2> # DNS.3 = <DNS_3> # DNS.4 = <DNS_4> # Add these if you need them. But usually you don't want them or # need them in production. You may need them for development. # DNS.5 = localhost # DNS.6 = localhost.localdomain # DNS.7 = 127.0.0.1 # IPv6 localhost # DNS.8 = ::1
Replace the following fields on the template:
Field Name Description 2_LETTER_COUNTRY_CODE The two letter code of your country. STATE_NAME The name of your state. CITY_NAME The name of your city. ORGANIZATION_NAME The name of your organization. ORGANIZATIONAL_UNIT The name of your section in the organization. YOUR_NAME Your full name. YOUR_EMAIL_ADDR Your email address. DNS_<INDEX> Your DNS name. Example:
[ req ] default_bits = 2048 default_keyfile = private.pem distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only [ subject ] countryName = Country Name (2 letter code) countryName_default = NZ stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Wellington localityName = Locality Name (eg, city) localityName_default = Wellington organizationName = Organization Name (eg, company) organizationName_default = My Organization organizationalUnitName = Organizational Unit (eg, section) organizationalUnitName_default = IT Department commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = www.ronella.xyz emailAddress = Email Address emailAddress_default = ron@ronella.xyz # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:false keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alternate_names nsComment = "Self-signed Certificate" # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:false keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alternate_names nsComment = "Private Certificate" [ alternate_names ] DNS.1 = www.ronella.xyz # Add more DNS by incrementing the DNS.<SUFFIX> like the following. # DNS.2 = <DNS_2> # DNS.3 = <DNS_3> # DNS.4 = <DNS_4> # Add these if you need them. But usually you don't want them or # need them in production. You may need them for development. # DNS.5 = localhost # DNS.6 = localhost.localdomain # DNS.7 = 127.0.0.1 # IPv6 localhost # DNS.8 = ::1
-
Generate a private key using the following command:
openssl genrsa -out domain.key.pem 2048
-
Generate the CSR using the private key with the following command:
openssl req -new -key domain.key.pem -nodes -out domain.csr -config domain.cnf
Viewing the Generated CSR
-
View the generated CSR using the following command:
openssl req -text -noout -verify -in domain.csr
Leave a Reply