April 16, 2013 Leave a comment
You create a CSR and have it signed by a CA before you can use a certificate. This tutorial is a continuation from my tutorial on creating a CA. However, you do not need to create a CA to generate a CSR.
I wrote this tutorial using Fedora 18. The only prerequisite I needed was OpenSSL.
su -c 'yum install openssl'
Create Directory Structure
mkdir private conf csr
We will run all commands by default in the /home/cg/mycert directory, unless stated otherwise.
This file would serve as the config file if you wish to use it. An example file is below.
[ ca ] default_ca = CA_default [ CA_default ] dir = /home/cg/mycert/ certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/certs/cacert.pem serial = $dir/serial #crl = $dir/crl.pem private_key = $dir/private/cakey.pem #RANDFILE = $dir/private/.rand x509_extensions = usr_cert #crl_extensions = crl_ext default_days = 3650 #default_startdate = YYMMDDHHMMSSZ #default_enddate = YYMMDDHHMMSSZ #default_crl_days= 30 #default_crl_hours = 24 default_md = sha1 preserve = no #msie_hack policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match localityName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 4096 # Size of keys default_keyfile = key.pem # name of generated keys distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca #input_password #output_password string_mask = nombstr # permitted characters req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = New York localityName = Locality Name (city, district) localityName_default = New York organizationName = Organization Name (company) organizationName_default = Code Ghar organizationalUnitName = Organizational Unit Name (department, division) organizationalUnitName_default = IT commonName = Common Name (hostname, FQDN, IP, or your name) commonName_max = 64 commonName_default = CGIT emailAddress = Email Address emailAddress_max = 40 emailAddress_default = firstname.lastname@example.org [ req_attributes ] #challengePassword = A challenege password #challengePassword_min = 4 #challengePassword_max = 20 #unstructuredName = An optional company name [ usr_cert ] basicConstraints= CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always #nsComment = ''OpenSSL Generated Certificate'' #nsCertType = client, email, objsign for ''everything including object signing'' subjectAltName=email:copy issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl = #nsRenewalUrl = #nsCaPolicyUrl = #nsSslServerName = [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:TRUE #keyUsage = cRLSign, keyCertSign #nsCertType = sslCA, emailCA #subjectAltName=email:copy #issuerAltName=issuer:copy #obj=DER:02:03 [ crl_ext ] #issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always
You can use the config file (serverconfig.cnf) we created in the previous step to answer a lot of the questions asked during certificate generation. Just run the following command and answer the questions. Most questions will have the default values provided in serverconfig.cnf.
openssl req -new -config conf/serverconfig.cnf -keyform PEM -keyout private/key.csr.server1.pem -outform PEM -out csr/csr.server1.pem -nodes
If you want to provide your own custom values you may run the following command instead.
openssl req -new -newkey rsa:4096 -keyform PEM -keyout private/key.csr.server1.pem -outform PEM -out csr/csr.server1.pem -nodes
You will be asked relevant questions. Following is an example output of the process.
Generating a 4096 bit RSA private key ..............................................................................++ .................++ writing new private key to 'private/key.csr.server1.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [New York]: Locality Name (city, district) [New York]: Organization Name (company) [Code Ghar]: Organizational Unit Name (department, division) [IT]: Common Name (hostname, FQDN, IP, or your name) [CGIT]: Email Address [email@example.com]:firstname.lastname@example.org
Two files, key.csr.server1.pem and csr.server1.pem, will be created in $dir/private and $dir/csr directories respectively. Keep these files in a safe location and back them up.
You will submit csr.server1.pem to the CA who will sign it. The CA will sign the file and return the resulting file to you. That will be the certificate you will finally use.