This tutorial will show you how to deploy a Certificate Signing Request (CSR) in Linux and Windows using OpenSSL, of course, you’ll find out that it’s also very easy to do in the command prompt.
How to Easy Deploy Certificates Signing Requests (CSR) with OpenSSL
OpenSSL is on board with most Linux distributions, under Windows the open-source toolkit can be installed in a command prompt using the Windows package manager as follows:
C:\> winget install -e --id ShiningLight.OpenSSL
Windows provide also the Subsystem for Linux (WSL) with which a virtual Ubuntu GNU/Linux can by performed, OpenSSL is included.
Let’s how it’s done
Run the command below to generate a 2048-bit RSA private key and x509 CSR in plain text on Linux as well as on Windows in the same way:
openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
Instead of the placeholder use your desired domain name. Upon completion of this process, you will be returned to a command prompt. You will not receive any notification that your CSR was successfully created.
The last file in the command with -out domain.csr contains the CSR we need for the Certificate Authority (CA) and is usually submitted to the certificate issuer after pasting into a form. This will generate the public certificate that you will download.
Yes, you’ll find out that it’s also very easy to do in the command prompt
The process with the inputs in this example shown bellow:
......+++++++++++++++++++++++++++++++++++++++*..+....+........+. ..........+........+.+.....++++++++++++++++++++++++++++++++++*.+ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:Quebec Locality Name (eg, city) :Montreal Organization Name (eg, company) :Wind Energy Ltd Organizational Unit Name (eg, section) :Branch Lab Common Name (e.g. server FQDN or YOUR name) :domain.tld Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Instead of the placeholder Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name and Email Address use your desired Name, a optional challenge password does not have to be entered.
Let’s explain the command:
– openssl is the command for running OpenSSL.
– req is the OpenSSL utility for generating a CSR.
– -newkey rsa:2048 tells OpenSSL to generate a new 2048-bit RSA private key. If you would prefer a 4096-bit key you can change to 4096.
– -nodes is used to specify that the output of the command should not be encrypted. When this option is used, the private key associated with the certificate is displayed in plain text.
– -keyout domain.key specifies where to save the private key file.
– -out domain.csr specifies where to save the CSR file.
Optionally after generating you can check the SCR as follows:
openssl req -text -noout -verify -in domain.csr
The output looks something like this (abbreviated).
Certificate request self-signature verify OK Certificate Request: Data: Version: 1 (0x0) Subject: C = CA, ST = Quebec, L = Montreal, O = Wind Energy Ltd, OU = Branch lab, CN = domain.tld, emailAddress = email@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ...
The content of example CSR domain.csr
-----BEGIN CERTIFICATE REQUEST----- MIIC4TCCAckCAQAwgZsxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP BgNVBAcMCE1vbnRyZWFsMRgwFgYDVQQKDA9XaW5kIEVuZXJneSBMdGQxEzARBgNV BAsMCkJyYW5jaCBsYWIxEzARBgNVBAMMCmRvbWFpbi50bGQxJDAiBgkqhkiG9w0B CQEWFWhvc3RtYXN0ZXJAZG9tYWluLnRsZDCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMJTiL11C5GP0B8r9QAJZeVQZuhjd/VOKufu9Rl98kbHKJ+olL1Y rc88z3UTntzBQwJk6wL3IMYaLtydWC4ekF3swYI9S+mHy6Y5pw/lc3/wAwS/rTcH UiptUYCvh3Z6zratULigK4lzEPNBUVwyijikAFsJokgjBPTFzFYaUDsTJVlbdJvu MyGRQke++sNJaIEE9wE4WoNOXU9aQ3DK6jIlEPyN8YaQ+Sy0OKLDUiSO/RqOCMmS Wwkwnx9hwHGaAwQRNJo93OEaSYYdPziAqKpigiVjqYkfNpfHHZcWnCwtiYOHjAIH qD/8HciCaJKH5BwQc+vhUCly0g4RtbqXNJkCAwEAAaAAMA0GCSqGSIb3DQEBCwUA A4IBAQCUjURKBn4oq6LzHEpUeNPbNOQk8KQQhxVtHQqv0EtstkZYJEqEFfJTkfUq WiNsiDdDumfH4M1ufImym2f6/9jEwnu0p8dT6MrOjh77c/0nTFlDNcTRhucClIwJ rGT4FepWzV3plOhOkXkN4PvL+1Un7pMNmK05ZkyJqXWDnRYGhV9wrFHJsUofBUkO Ql+hs+wFmMgZISHOD3VKirPgOBNWDRxcG9mal1/hkgiymPxxPdMHKQ+l4qB5LUdH VO6v0tkjnVQ9VR9Z9AP86bLWJJwuAjc+GD6mO+FaFPvLRzMYWSgL9dqx22vnWVeU QsnX/t4zDcfvgeMcMdEhOTWk2XPC -----END CERTIFICATE REQUEST-----
do not change the content of the CSR file, including the text BEGIN to END CERTIFICATE REQUEST with the bindings must be transmitted unchanged to the certificate authority issuer.
How to convert a .crt to the .pfx (PKCS#12) format
Windows services commonly use the PFX and PKCS12 format, like IIS and Microsoft Exchange Server use PFX (Personal Information Exchange) PKCS 12 certificates, here the x509 PEM certificates can be converted to PFX Certificate (.pfx) Format, how doing will show the following command:
openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.crt
Ensure you have the certificate file (domain.crt) and the corresponding private key file (domain.key) available. If you don’t have the private key file, you won’t be able to create the .pfx file.
Create a Self-signed Certificate
If you want a self-signed certificate. Let’s create a self-signed certificate (domain.crt) with our existing private key and CSR, run this command:
openssl x509 -signkey domain.key -in domain.csr -req -days 3652 -out domain.crt
A self-signed certificate domain.crt is created vaild for 10 years that’s signed with its own private key. It can be used to encrypt data just as well as CA-signed certificates, but you and your users will be shown a warning that says the certificate isn’t trusted, but you can solve that too.
In this tutorial you will learn how easy it is to manually deploy a X.509 certificate signing request (CSR) on Linux and Windows using OpenSSL. As the OpenSSL versatile toolkit is very widely used in many devices and applications, so it provide us numerous possibilities as shown in this article.
Yes, you’ll find out that it’s also very easy to do in the command prompt.
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?