System: Generating a Certificate Signing Request (CSR)
Notes on viewing the contents of and generating a new CSR when applying for a new SSL secure key. These notes have been written for Debian/GNU Linux, but should apply to most UNIX/Linux systems.
TL;DR Create a CSR
If you just came here for commands to generate a CSR:
DOMAIN=example.net openssl genrsa -out $DOMAIN.key 2048 openssl req -new -sha256 -key $DOMAIN.key -out $DOMAIN.csr
View The Contents of a CSR
As the root user you can view the contents, including the input values use to generate the CSR, with the following command:
openssl req -text -noout -in domainname.csr
The equivalent command for extracting details from an existing certificate is:
openssl x509 -text -noout -in domainname.crt
where domainname is the exact domain or subdomain that is going to be secured. In other words for this website we would use www.the-art-of-web.com in place of domainname, both in the above command and in subsequent examples below.
The output will be similar to the following:
Certificate Request: Data: Version: 0 (0x0) Subject: C=Country Code, ST=State, L=Locality, O=Organisation, CN=Domain Name Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c8:25:82:a0:60:bc:55:b4:93:40:35:c0:cb:05: be:a5:66:b4:8b:be:ae:c4:d7:8c:e5:ab:67:9c:64: 68:3e:c0:b0:3d:48:5b:db:c1:db:b1:d8:f2:a2:cf: bf:de:93:fb:dd:16:6b:49:9d:62:b2:32:35:b7:e2: b5:b8:9f:77:16:31:8b:14:2b:92:bf:1e:8e:de:92: 15:c3:1e:e7:0f:49:cb:76:10:54:72:d4:bc:84:54: be:6d:36:88:65:b5:a8:6f:b7:23:79:7f:4b:03:76: 3b:f3:62:22:fd:00:31:d0:df:a4:f5:98:04:91:f1: e3:a1:a9:5d:bb:e0:95:dd:51 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 70:7d:8d:bb:45:0e:3f:ff:0d:47:65:1b:b8:29:87:cb:9d:3b: 39:52:70:2c:03:43:f8:14:68:ab:2e:d1:36:ec:bf:f7:55:d8: 8f:dc:3c:96:47:8b:a3:14:f6:69:5e:4f:75:e2:1e:46:df:21: 35:5e:57:4e:83:7d:7c:27:52:e5:24:1c:65:25:ab:f0:1b:8c: e8:b7:35:3b:85:0e:85:70:6b:0d:fb:d1:cd:52:99:ff:a5:ab: e7:0f:9b:0e:71:0b:f7:06:95:02:2b:17:cc:f1:eb:92:19:38: 65:72:ce:9d:60:83:66:df:3f:48:d9:38:c3:d7:51:d7:05:06: 9c:96
This is from an old CSR which would now be considered insecure. The key strength should be 2048 bit or higher, and the Signature Algorithm should be one of the SHA-2 hashes instead of SHA-1. See below for details on generating a better CSR.
To generate a replacement CSR for the same website, in order to renew an SSL certificate or more a secure website to another host for example, you only need the highlighted information (Country Code, State or Province Name, Locality Name, Organisation and Common Name). The Common Name in this situation is normally the Domain Name to be secured.
Generating a new CSR
First you need to generate a Private Key. Again as root you can run the following command:
openssl genrsa -des3 -out domainname.key 1024
The -des3 option will prompt you for a 'pass phrase' that needs to be entered every time the key is used. You will want to leave this out if you have a server that needs to be restarted remotely or without someone at the keyboard.
This will generate a file domainname.key in the current directory. For stronger encryption you need to change the bit number from 1024 to 2048 or higher.
For a commercial SSL certificate on a production website you should be using 2048 bit encryption as a minimum, and no passphrase, in which case the command to use is:
openssl genrsa -out domainname.key 2048
Using the key file as the input, we now generate the CSR:
openssl req -new -key domainname.key -out domainname.csr
As of now you should be generating your CSR using SHA-2 instead of the default SHA-1 hash. SHA-1 is being phased out, rather aggressivly by Google, including warnings set to appear in their Chrome web browser. The command for this is:
openssl req -new -sha256 -key domainname.key -out domainname.csr
You will now be prompted for various fields. You only need to complete the highlighted fields and the rest can be left blank.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code): Country Code State or Province Name (full name): State Locality Name (eg, city): Locality Organization Name (eg, company): Organisation Organizational Unit Name (eg, section): Common Name (eg, YOUR name): Domain Name Email Address: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password: An optional company name:
You can check that the correct information is embedded in the CSR by running the command shown earlier.
The output of the above process will be a file domainname.csr containing something like the following (sample only):
-----BEGIN CERTIFICATE REQUEST----- MIIBqDCCbRECbQbwbDELMbkGb3UEBhMCQVUxEzbRBgNVBbgTClF3ZWVuc2xhbmQx FzbVBgNVBbcTDlNvdXRoIEJybXNiYW5lMQ1wDQYDVQQKEwZJb2lnYWkxGjbYBgNV BbMTEXd3dy5pb2lnYWkuY29tLmF3MIGfMb0GCSqGSIb3DQEBbQUbb4GNbDCBiQKB gQDbZf4Ziu42ZbEcf26wXEq7IekfierZiUQgbFIkCPdwJIbl3sRLd+OibJTOyExx PudqzB/7JQRObk1hZ9TrVEvvKFXdNCt+bt/UIxbJWkS9ChqHYNbyiHQ3wlCWr3z6 bqPuGCm2EUJGhvGs+bgeyCS5+9XbFviFFo6ME/bG3VXW5wIDbQbBobbwDQYJKoZI hvcNbQEFBQbDgYEbhCmq3UxHC0r2gSsUduQh3BjbbwRjdg3SsKd1K+JLjnhiZO9W dMbHb7g+5x0K+zv/CEwj3m10P+MbmNVWHzMxWfR9myZQB/zNm2wP2jmWp3UJM9CN KUJ9tesokbvcy46XhS/WMmwj4bJvxq+wlr/hlNVL/WfxJW2Wyh9U00w9TNg= -----END CERTIFICATE REQUEST-----
This can now be copied and pasted into the SSL certificate application process.
For testing purposes during deployment, or for non public facing intranets you can sign the key yourself and use the resulting certificate:
openssl x509 -req -days 365 -in domainname.csr -signkey domainname.key -out domainname.crt
The drawback of self signed certificates is that most/all web browsers will display a warning and consider the certificate unsafe by default.