Creating CSR with openssl

09 Jun 2020

openssl powershell ssl

Consolidated information from DigiCert articles about requesting new SSL certificate using OpenSSL command line

Getting private Key

From existing certificate - How to convert .pfx file to .pem format including private key

Solution OpenSSL can be used to convert pfx files to pem files that includes the private key. Some Servers require this format.

To convert use the command below:

openssl pkcs12 -in certificate.pfx -out certificte.pem

Generating new key - Generating Your Private Key

After deciding on a key algorithm, key size, and whether to use a passphrase, you are ready to generate your private key.
Use the following command to generate your private key using the RSA algorithm:

openssl genrsa -out yourdomain.pem 2048

This command generates a private key in your current directory named yourdomain.key (-out yourdomain.key) using the RSA algorithm (genrsa) with a key length of 2048 bits (2048). The generated key is created using the OpenSSL format called PEM.
Use the following command to view the raw, encoded contents (PEM format) of the private key:

cat yourdomain.pem

Even though the contents of the file might look like a random chunk of text, it actually contains important information about the key.
Use the following command to decode the private key and view its contents:

openssl rsa -text -in yourdomain.pem -noout

The -noout switch omits the output of the encoded version of the private key.

Extracting Your Public Key

The private key file contains both the private key and the public key. You can extract your public key from your private key file if needed.
Use the following command to extract your public key:

openssl rsa -in yourdomain.pem -pubout -out yourdomain_public.pem

Creating Your CSR

After generating your private key, you are ready to create your CSR. The CSR is created using the PEM format and contains the public key portion of the private key as well as information about you (or your company).
Use the following command to create a CSR using your newly generated private key:

openssl req -new -key yourdomain.pem -out yourdomain.csr

After entering the command, you will be asked series of questions. Your answers to these questions will be embedded in the CSR. Answer the questions as described below:

| | | |---|---| | Country Name (2 letter code) | The two-letter country code where your company is legally located. | | State or Province Name (full name) | The state/province where your company is legally located. | | Locality Name (e.g., city) | The city where your company is legally located. | | Organization Name (e.g., company) | Your company's legally registered name (e.g., YourCompany, Inc.). | | Organizational Unit Name (e.g., section) | The name of your department within the organization. (You can leave this option blank; simply press Enter.) | | Common Name (e.g., server FQDN) | The fully-qualified domain name (FQDN) (e.g., www.example.com). | | Email Address | Your email address. (You can leave this option blank; simply press Enter.) | | A challenge password | Leave this option blank (simply press Enter). | | An optional company name | Leave this option blank (simply press Enter). |

Some of the above CSR questions have default values that will be used if you leave the answer blank and press Enter. These default values are pulled from the OpenSSL configuration file located in the OPENSSLDIR (see Checking Your OpenSSL Version). If you want to leave a question blank without using the default value, type a "." (period) and press Enter.

Using the -subj Switch

Another option when creating a CSR is to provide all the necessary information within the command itself by using the -subj switch.
Use the following command to disable question prompts when generating a CSR:

openssl req -new -key yourdomain.key -out yourdomain.csr -subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"

This command uses your private key file (-key yourdomain.key) to create a new CSR (-out yourdomain.csr) and disables question prompts by providing the CSR information (-subj).

Creating Your CSR with One Command

Instead of generating a private key and then creating a CSR in two separate steps, you can actually perform both tasks at once.
Use the following command to create both the private key and CSR:

openssl req -new \
-newkey rsa:2048 -nodes -keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"

This command generates a new private key (-newkey) using the RSA algorithm with a 2048-bit key length (rsa:2048) without using a passphrase (-nodes) and then creates the key file with a name of yourdomain.key (-keyout yourdomain.key).

The command then generates the CSR with a filename of yourdomain.csr (-out yourdomain.csr) and the information for the CSR is supplied (-subj).

Note: While it is possible to add a subject alternative name (SAN) to a CSR using OpenSSL, the process is a bit complicated and involved. If you do need to add a SAN to your certificate, this can easily be done by adding them to the order form when purchasing your DigiCert certificate.

Citrix - How to Create a CSR and Key File for a SAN Certificate with Multiple Subject Alternate Names

OpenSSL CSR with Alternative Names one-line

in short create separate file csr_details.txt with configuration details

[req]
default_bits = 2048
prompt = no
default_md = sha1
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
CN = www.your-new-domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = your-new-domain.com
DNS.2 = www.your-new-domain.com

default_bits and default_md can be ommited if provided from command line. the default_bits can be ommited when creating CSR using existing certificate
Cisco recommends adding the

keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth

to [ req_ext ] section

openssl req -new -key certificate.pem -out request.csr -config csr_details.txt
# when creating new key in the same command
openssl req -new -out request.csr -newkey rsa:2048 -nodes -sha1 -keyout certificate.pem -config csr_details.txt

Verifying CSR Information

After creating your CSR using your private key, we recommend verifying that the information contained in the CSR is correct and that the file hasn't been modified or corrupted.
Use the following command to view the information in your CSR before submitting it to a CA (e.g., DigiCert):

openssl req -text -in yourdomain.csr -noout -verify

The -noout switch omits the output of the encoded version of the CSR. The -verify switch checks the signature of the file to make sure it hasn't been modified.

Convert P7B to PFX

Note: This requires 2 commands
the p7b file should contain whole certificate chain (both site and CA certificates)

STEP 1: Convert P7B to CER

openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer

STEP 2: Convert CER and Private Key to PFX

openssl pkcs12 -export -in certificatename.cer -inkey privateKey.pem -out certificatename.pfx

Summary

openssl pkcs12 -in .\oldCert.pfx -out .\oldCert.pem
openssl req -new -key oldCert.pem -out newCert.csr -config .\csr_details.txt
openssl req -in .\newCert.csr -noout -text

openssl pkcs7 -print_certs -in .\newCert.p7b -out newCert.cer
openssl pkcs12 -export -in newCert.cer -inkey .\oldCert.pem -out newCert.pfx

Links

DigiCert - General CSR Creation Guidelines
DigiCert - Creating a CSR for Microsoft Servers Using the DigiCert® Certificate Utility for Windows
DigiCert - OpenSSL Quick Reference Guide
DigiCert - SSL Tools - Check your CSR
DigiCert - How to decode a Certificate Signing Request (CSR) file using OpenSSL
DigiCert - How to convert .pfx file to .pem format including private key
Chocolatey OpenSSL

choco install openssl

DigiCert - How to convert a certificate into the appropriate format
Extracting PEM Certificates from a .p7b Bundle File


Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.