Certificate Signing Request (CSR)

Generating a CSR

1. Download OpenSSL binaries from the following link if you are using windows:

   https://slproweb.com/products/Win32OpenSSL.html

2. Create a domain.cnf file using the following template:

   [ req ]
   default_bits        = 2048
   default_keyfile     = private.pem
   distinguished_name  = subject
   req_extensions      = req_ext
   x509_extensions     = x509_ext
   string_mask         = utf8only
   
   [ subject ]
   countryName         = Country Name (2 letter code)
   countryName_default     = <2_LETTER_COUNTRY_CODE>
   
   stateOrProvinceName     = State or Province Name (full name)
   stateOrProvinceName_default = <STATE_NAME>
   
   localityName            = Locality Name (eg, city)
   localityName_default        = <CITY_NAME>
   
   organizationName         = Organization Name (eg, company)
   organizationName_default    = <ORGANIZATION_NAME>
   
   organizationalUnitName         = Organizational Unit (eg, section)
   organizationalUnitName_default = <ORGANIZATIONAL_UNIT>
   
   commonName          = Common Name (e.g. server FQDN or YOUR name)
   commonName_default      = <YOUR_NAME>
   
   emailAddress            = Email Address
   emailAddress_default        = <YOUR_EMAIL_ADDR>
   
   # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
   [ x509_ext ]
   
   subjectKeyIdentifier        = hash
   authorityKeyIdentifier    = keyid,issuer
   
   basicConstraints        = CA:false
   keyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
   subjectAltName          = @alternate_names
   nsComment           = "Self-signed Certificate"
   
   # Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
   [ req_ext ]
   
   subjectKeyIdentifier        = hash
   
   basicConstraints        = CA:false
   keyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
   subjectAltName          = @alternate_names
   nsComment           = "Private Certificate"
   
   [ alternate_names ]
   
   DNS.1        = <DNS_1>
   
   # Add more DNS by incrementing the DNS.<SUFFIX> like the following.
   # DNS.2       = <DNS_2>
   # DNS.3       = <DNS_3>
   # DNS.4       = <DNS_4>
   
   # Add these if you need them. But usually you don't want them or
   #   need them in production. You may need them for development.
   # DNS.5       = localhost
   # DNS.6       = localhost.localdomain
   # DNS.7       = 127.0.0.1
   
   # IPv6 localhost
   # DNS.8     = ::1

   Replace the following fields on the template:

   Field Name	Description
   2_LETTER_COUNTRY_CODE	The two letter code of your country.
   STATE_NAME	The name of your state.
   CITY_NAME	The name of your city.
   ORGANIZATION_NAME	The name of your organization.
   ORGANIZATIONAL_UNIT	The name of your section in the organization.
   YOUR_NAME	Your full name.
   YOUR_EMAIL_ADDR	Your email address.
   DNS_<INDEX>	Your DNS name.

   Example:

   [ req ]
   default_bits        = 2048
   default_keyfile     = private.pem
   distinguished_name  = subject
   req_extensions      = req_ext
   x509_extensions     = x509_ext
   string_mask         = utf8only
   
   [ subject ]
   countryName         = Country Name (2 letter code)
   countryName_default     = NZ
   
   stateOrProvinceName     = State or Province Name (full name)
   stateOrProvinceName_default = Wellington
   
   localityName            = Locality Name (eg, city)
   localityName_default        = Wellington
   
   organizationName         = Organization Name (eg, company)
   organizationName_default    = My Organization
   
   organizationalUnitName         = Organizational Unit (eg, section)
   organizationalUnitName_default = IT Department
   
   commonName          = Common Name (e.g. server FQDN or YOUR name)
   commonName_default      = www.ronella.xyz
   
   emailAddress            = Email Address
   emailAddress_default        = ron@ronella.xyz
   
   # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
   [ x509_ext ]
   
   subjectKeyIdentifier        = hash
   authorityKeyIdentifier    = keyid,issuer
   
   basicConstraints        = CA:false
   keyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
   subjectAltName          = @alternate_names
   nsComment           = "Self-signed Certificate"
   
   # Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
   [ req_ext ]
   
   subjectKeyIdentifier        = hash
   
   basicConstraints        = CA:false
   keyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
   subjectAltName          = @alternate_names
   nsComment           = "Private Certificate"
   
   [ alternate_names ]
   
   DNS.1        = www.ronella.xyz
   
   # Add more DNS by incrementing the DNS.<SUFFIX> like the following.
   # DNS.2       = <DNS_2>
   # DNS.3       = <DNS_3>
   # DNS.4       = <DNS_4>
   
   # Add these if you need them. But usually you don't want them or
   #   need them in production. You may need them for development.
   # DNS.5       = localhost
   # DNS.6       = localhost.localdomain
   # DNS.7       = 127.0.0.1
   
   # IPv6 localhost
   # DNS.8     = ::1

3. Generate a private key using the following command:

   openssl genrsa -out domain.key.pem 2048

4. Generate the CSR using the private key with the following command:

   openssl req -new -key domain.key.pem -nodes -out domain.csr -config domain.cnf

Viewing the Generated CSR

1. View the generated CSR using the following command:

   openssl req -text -noout -verify -in domain.csr