Generating Certificate Signing Requests

Certificate Signing Requests (CSR) are sent to a Certificate Authority (CA) to be signed. Once signed, a certificate will be returned. At no point should the private RSA key be sent anywhere. Be sure to check with the CA in question for any instructions not covered here.

If many certificate requests will be made, find the system-wide openssl.cnf and update the various x509 attribute defaults therein to suit the location in question. The following is what I set on systems under sial.org.

# egrep '_default.*=' openssl.cnf
countryName_default = US
stateOrProvinceName_default = Washington
localityName_default = Seattle
0.organizationName_default = Sial.org
#1.organizationName_default = World Wide Web Pty Ltd
#organizationalUnitName_default =

Some applications or operating systems include scripts or Makefile to automate portions of the following commands. Check the documentation for the system in question to see if this is the case.

  1. Generate private RSA key.
  2. # openssl genrsa -out host.key 1024
    # chmod 400 host.key

    Include the -des3 option if you want to password protect your RSA key. This is usually a bad idea on servers where the daemon starts up when nobody is around to enter the password. The -rand option to openssl allows additional sources of entropy from the named files, in the event that the system random device is not up to the task.

  3. Generate CSR.
  4. # openssl req -new -nodes -key host.key -out host.csr

    When prompted for the x509 Common Name attribute information, enter the fully qualified hostname the certificate will be used on.

    Common Name (eg, YOUR name) []:www.example.com

    The e-mail address will likely be used by the CA to contact you. Leave any subsequent attributes blank, unless the CA requests something be set in them.

  5. Deliver CSR data to CA.
  6. The contents of the host.csr file must be submitted to the CA, though the method will vary. It is then up to the CA to return the certificate data.

  7. Temporary key signing.
  8. A key can optionally be self-signed to create a temporary testing certificate until the signed certificate is created by the CA.

    # openssl x509 -req -days 30 -in host.csr -signkey host.key -out host.cert

  9. Setup key and certificate.
  10. The key and certificate files should be installed on the client system as appropriate for the applications using them. Example application configuration notes are available.