Creating Certificate Signing Requests With OpenSSL
A private key can be used to create a Certificate Signing Request (CSR). A public and private key can be used to encrypt communications. However, a client must still validate the public certificate presented for use with encrypted communication as coming from an expected and trusted source. Without some way to validate the public key, the client can easily succumb to man-in-the-middle style attacks that would render encryption futile.
To solve this problem, public key infrastructure typically involves third parties, called Certification Authorities (CAs), that can sign a certificate as authentic for a particular public key. If the client has a copy of the CA certificate, the client can validate a certificate for a domain, based on the signature in the certificate. Most systems are installed with some trusted CA certificates by default. To check the CA certificates that are trusted by the system, use the following command:
sudo openssl version -d
By default, this directory is /etc/pki/tls and the
/etc/pki/tls/certs subdirectory contains all the trusted certificates.
To obtain a signed certificate from a CA, a CSR must be generated using the public key component within its associated private key. The CSR is then presented to the CA which can validate the information in the request and use this information to generate a valid and signed public certificate. The CSR is associated with a domain name for the host or hosts on which the certificate is be used. The CA uses this information to create a certificate with a specified expiry date.
The following example shows the command syntax for interactively creating a CSR from a private key:
sudo openssl req -new -key private.key -out domain.example.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:GB State or Province Name (full name) []:. Locality Name (eg, city) [Default City]:London Organization Name (eg, company) [Default Company Ltd]:Example Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:domain.example.com Email Address []:webmaster@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Note that the default values can be configured in the
/etc/pki/tls/openssl.cnf file. The Common Name is the most
important value in the CSR. This value associates the certificate request with the hostname
and domain name for the host on which the certificate is to be used. Note that if a client
connects to a host that's issued a certificate for a different domain, the certificate is
invalid.
You can generate a CSR and private key at the same time. With the following command, you can specify values for the different fields in the CSR on the command line:
sudo openssl req -new -nodes '/CN=domain.example.com/O=Example Ltd/C=GB/L=London' \ -newkey rsa:1024 -keyout private.key -out domain.example.com.csr
You can view the information contained in a CSR as follows:
sudo openssl req -in domain.example.com.csr -noout -textAfter you have a CSR, you can submit it to a CA. The CA uses the CSR to generate a signed certificate and then returns the certificate with a certificate chain that can be used to validate the certificate.