Easy Create a Certificate Signing Request Using OpenSSL

5
(1)

This tutorial will show you how to deploy a Certificate Signing Request (CSR) in Linux and Windows using OpenSSL, of course, you’ll find out that it’s also very easy to do in the command prompt.

How to Easy Deploy Certificates Signing Requests (CSR) with OpenSSL

Certificate Request using OpenSSL

OpenSSL is on board with most Linux distributions, under Windows the open-source toolkit can be installed in a command prompt using the Windows package manager as follows:

C:\> winget install -e --id ShiningLight.OpenSSL

 Windows provide also the Subsystem for Linux (WSL) with which a virtual Ubuntu GNU/Linux can by performed, OpenSSL is included.

Let’s how it’s done

Run the command below to generate a 2048-bit RSA private key and x509 CSR in plain text on Linux as well as on Windows in the same way:

openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

  Instead of the placeholder use your desired domain name. Upon completion of this process, you will be returned to a command prompt. You will not receive any notification that your CSR was successfully created.

The last file in the command with -out domain.csr contains the CSR we need for the Certificate Authority (CA) and is usually submitted to the certificate issuer after pasting into a form. This will generate the public certificate that you will download.

Yes, you’ll find out that it’s also very easy to do in the command prompt

The process with the inputs in this example shown bellow:

......+++++++++++++++++++++++++++++++++++++++*..+....+........+.
..........+........+.+.....++++++++++++++++++++++++++++++++++*.+
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Quebec
Locality Name (eg, city) []:Montreal
Organization Name (eg, company) []:Wind Energy Ltd
Organizational Unit Name (eg, section) []:Branch Lab
Common Name (e.g. server FQDN or YOUR name) []:domain.tld
Email Address []:hostmaster@domain.tld

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

  Instead of the placeholder Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name and Email Address use your desired Name, a optional challenge password does not have to be entered.

Let’s explain the command:

openssl is the command for running OpenSSL.
req is the OpenSSL utility for generating a CSR.
-newkey rsa:2048 tells OpenSSL to generate a new 2048-bit RSA private key. If you would prefer a 4096-bit key you can change to 4096.
-nodes is used to specify that the output of the command should not be encrypted. When this option is used, the private key associated with the certificate is displayed in plain text.
-keyout domain.key specifies where to save the private key file.
-out domain.csr specifies where to save the CSR file.

Optionally after generating you can check the SCR as follows:

openssl req -text -noout -verify -in domain.csr

The output looks something like this (abbreviated).

Certificate request self-signature verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = CA, ST = Quebec, L = Montreal, O = Wind Energy Ltd, OU = Branch lab, CN = domain.tld, emailAddress = hostmaster@domain.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
...

The content of example CSR domain.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIC4TCCAckCAQAwgZsxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP
BgNVBAcMCE1vbnRyZWFsMRgwFgYDVQQKDA9XaW5kIEVuZXJneSBMdGQxEzARBgNV
BAsMCkJyYW5jaCBsYWIxEzARBgNVBAMMCmRvbWFpbi50bGQxJDAiBgkqhkiG9w0B
CQEWFWhvc3RtYXN0ZXJAZG9tYWluLnRsZDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMJTiL11C5GP0B8r9QAJZeVQZuhjd/VOKufu9Rl98kbHKJ+olL1Y
rc88z3UTntzBQwJk6wL3IMYaLtydWC4ekF3swYI9S+mHy6Y5pw/lc3/wAwS/rTcH
UiptUYCvh3Z6zratULigK4lzEPNBUVwyijikAFsJokgjBPTFzFYaUDsTJVlbdJvu
MyGRQke++sNJaIEE9wE4WoNOXU9aQ3DK6jIlEPyN8YaQ+Sy0OKLDUiSO/RqOCMmS
Wwkwnx9hwHGaAwQRNJo93OEaSYYdPziAqKpigiVjqYkfNpfHHZcWnCwtiYOHjAIH
qD/8HciCaJKH5BwQc+vhUCly0g4RtbqXNJkCAwEAAaAAMA0GCSqGSIb3DQEBCwUA
A4IBAQCUjURKBn4oq6LzHEpUeNPbNOQk8KQQhxVtHQqv0EtstkZYJEqEFfJTkfUq
WiNsiDdDumfH4M1ufImym2f6/9jEwnu0p8dT6MrOjh77c/0nTFlDNcTRhucClIwJ
rGT4FepWzV3plOhOkXkN4PvL+1Un7pMNmK05ZkyJqXWDnRYGhV9wrFHJsUofBUkO
Ql+hs+wFmMgZISHOD3VKirPgOBNWDRxcG9mal1/hkgiymPxxPdMHKQ+l4qB5LUdH
VO6v0tkjnVQ9VR9Z9AP86bLWJJwuAjc+GD6mO+FaFPvLRzMYWSgL9dqx22vnWVeU
QsnX/t4zDcfvgeMcMdEhOTWk2XPC
-----END CERTIFICATE REQUEST-----

  do not change the content of the CSR file, including the text BEGIN to END CERTIFICATE REQUEST with the bindings must be transmitted unchanged to the certificate authority issuer.

How to convert a .crt to the .pfx (PKCS#12) format

Windows services commonly use the PFX and PKCS12 format, like IIS and Microsoft Exchange Server use PFX (Personal Information Exchange) PKCS 12 certificates, here the x509 PEM certificates can be converted to PFX Certificate (.pfx) Format, how doing will show the following command:

openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.crt

  Ensure you have the certificate file (domain.crt) and the corresponding private key file (domain.key) available. If you don’t have the private key file, you won’t be able to create the .pfx file.

Create a Self-signed Certificate

If you want a self-signed certificate. Let’s create a self-signed certificate (domain.crt) with our existing private key and CSR, run this command:

openssl x509 -signkey domain.key -in domain.csr -req -days 3652 -out domain.crt

A self-signed certificate domain.crt is created vaild for 10 years that’s signed with its own private key. It can be used to encrypt data just as well as CA-signed certificates, but you and your users will be shown a warning that says the certificate isn’t trusted, but you can solve that too.

Conclusion

In this tutorial you will learn how easy it is to manually deploy a X.509 certificate signing request (CSR) on Linux and Windows using OpenSSL. As the OpenSSL versatile toolkit is very widely used in many devices and applications, so it provide us numerous possibilities as shown in this article.

Yes, you’ll find out that it’s also very easy to do in the command prompt.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

Leave a Reply

Your email address will not be published. Required fields are marked *