How to create a CSR using openssl


Openssl is a handy and simple command line tool for generating a certificate signing request (CSR). All Linux systems administrator should know how to do this. Below are the steps you will need to go through before you can create a CSR for a 3rd party certificate authority to sign. You can use this to generate a CSR for a Mirosoft CA to sign too.

Before you begin

Make sure you have openssl installed in your Linux operating system.

Below is the command to install it if you don’t

yum install openssl

Step 1. Generate your private key

Use the following command to generate a 2048 bit RSA private key for your CSR.

openssl genrsa -out www.somewebsite.com.key 2048

Step 2. Use the key to generate a CSR

Then use the key you have generated to create a CSR

openssl req -new -sha256 -key www.somewebsite.com.key -out www.somewebsite.com.csr

Step 3. Fill in the information prompted in your request

You will be prompted to provide the below information for your certificate signing request.

Below is an example I have filled.

Read firstCommon Name – please specify the fully qualified domain name of the website you are protecting. ie. https://www.somewebsite.com you should use “www.website.com”

Country Name (2 Letter Code) [XX]: US
State or Provice Name (full name) []: Washington
Locality Name (eg, city) [Default City]: Seattle
Organization Name (eg, company) [Default Company Ltd]: Acme Ltd.
Organization Unit Name (eg, section) []: IT
Common Name (eg, your name or your server's hostname) [] www.somewebsite.com
Email Address []: jdoe@acmeltd.com

Below are optional information that you can leave as blank (just hit enter)

A challenge password []:
An optional company name []:

Step 4. Verify your CSR

Once you complete the previous step, verify the newly generated CSR

openssl req -noout -text -in www.somewebsite.com.csr

The subject identifiers should be the answers to the questions you have answered above.

Subject: C=US, ST=Washington, L=Seattle, O=Acme Ltd., OU=IT, CN=www.somewebsite.com/emailAddress=jdoe@acmeltd.com

Step 5. Submit your CSR for signing

Once you have verified that your CSR has been generated correctly, you are ready to submit the CSR for signing.

Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT.Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV