Creating CSR with openssl
09 Jun 2020
openssl powershell sslConsolidated information from DigiCert articles about requesting new SSL certificate using OpenSSL command line
Getting private Key
From existing certificate - How to convert .pfx file to .pem format including private key
Solution OpenSSL can be used to convert pfx files to pem files that includes the private key. Some Servers require this format.
To convert use the command below:
openssl pkcs12 -in certificate.pfx -out certificte.pem
Generating new key - Generating Your Private Key
After deciding on a key algorithm, key size, and whether to use a passphrase, you are ready to generate your private key.
Use the following command to generate your private key using the RSA algorithm:
openssl genrsa -out yourdomain.pem 2048
This command generates a private key in your current directory named yourdomain.key (-out yourdomain.key) using the RSA algorithm (genrsa) with a key length of 2048 bits (2048). The generated key is created using the OpenSSL format called PEM.
Use the following command to view the raw, encoded contents (PEM format) of the private key:
cat yourdomain.pem
Even though the contents of the file might look like a random chunk of text, it actually contains important information about the key.
Use the following command to decode the private key and view its contents:
openssl rsa -text -in yourdomain.pem -noout
The -noout switch omits the output of the encoded version of the private key.
Extracting Your Public Key
The private key file contains both the private key and the public key. You can extract your public key from your private key file if needed.
Use the following command to extract your public key:
openssl rsa -in yourdomain.pem -pubout -out yourdomain_public.pem
Creating Your CSR
After generating your private key, you are ready to create your CSR. The CSR is created using the PEM format and contains the public key portion of the private key as well as information about you (or your company).
Use the following command to create a CSR using your newly generated private key:
openssl req -new -key yourdomain.pem -out yourdomain.csr
After entering the command, you will be asked series of questions. Your answers to these questions will be embedded in the CSR. Answer the questions as described below:
| | | |---|---| | Country Name (2 letter code) | The two-letter country code where your company is legally located. | | State or Province Name (full name) | The state/province where your company is legally located. | | Locality Name (e.g., city) | The city where your company is legally located. | | Organization Name (e.g., company) | Your company's legally registered name (e.g., YourCompany, Inc.). | | Organizational Unit Name (e.g., section) | The name of your department within the organization. (You can leave this option blank; simply press Enter.) | | Common Name (e.g., server FQDN) | The fully-qualified domain name (FQDN) (e.g., www.example.com). | | Email Address | Your email address. (You can leave this option blank; simply press Enter.) | | A challenge password | Leave this option blank (simply press Enter). | | An optional company name | Leave this option blank (simply press Enter). |
Some of the above CSR questions have default values that will be used if you leave the answer blank and press Enter. These default values are pulled from the OpenSSL configuration file located in the OPENSSLDIR (see Checking Your OpenSSL Version). If you want to leave a question blank without using the default value, type a "." (period) and press Enter.
Using the -subj Switch
Another option when creating a CSR is to provide all the necessary information within the command itself by using the -subj switch.
Use the following command to disable question prompts when generating a CSR:
openssl req -new -key yourdomain.key -out yourdomain.csr -subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
This command uses your private key file (-key yourdomain.key) to create a new CSR (-out yourdomain.csr) and disables question prompts by providing the CSR information (-subj).
Creating Your CSR with One Command
Instead of generating a private key and then creating a CSR in two separate steps, you can actually perform both tasks at once.
Use the following command to create both the private key and CSR:
openssl req -new \
-newkey rsa:2048 -nodes -keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com"
This command generates a new private key (-newkey) using the RSA algorithm with a 2048-bit key length (rsa:2048) without using a passphrase (-nodes) and then creates the key file with a name of yourdomain.key (-keyout yourdomain.key).
The command then generates the CSR with a filename of yourdomain.csr (-out yourdomain.csr) and the information for the CSR is supplied (-subj).
Note: While it is possible to add a subject alternative name (SAN) to a CSR using OpenSSL, the process is a bit complicated and involved. If you do need to add a SAN to your certificate, this can easily be done by adding them to the order form when purchasing your DigiCert certificate.
OpenSSL CSR with Alternative Names one-line
in short create separate file
csr_details.txt
with configuration details
[req]
default_bits = 2048
prompt = no
default_md = sha1
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
CN = www.your-new-domain.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = your-new-domain.com
DNS.2 = www.your-new-domain.com
default_bits
anddefault_md
can be ommited if provided from command line. thedefault_bits
can be ommited when creating CSR using existing certificate
Cisco recommends adding the
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
to
[ req_ext ]
section
openssl req -new -key certificate.pem -out request.csr -config csr_details.txt
# when creating new key in the same command
openssl req -new -out request.csr -newkey rsa:2048 -nodes -sha1 -keyout certificate.pem -config csr_details.txt
Verifying CSR Information
After creating your CSR using your private key, we recommend verifying that the information contained in the CSR is correct and that the file hasn't been modified or corrupted.
Use the following command to view the information in your CSR before submitting it to a CA (e.g., DigiCert):
openssl req -text -in yourdomain.csr -noout -verify
The -noout switch omits the output of the encoded version of the CSR. The -verify switch checks the signature of the file to make sure it hasn't been modified.
Convert P7B to PFX
Note: This requires 2 commands
the p7b file should contain whole certificate chain (both site and CA certificates)
STEP 1: Convert P7B to CER
openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
STEP 2: Convert CER and Private Key to PFX
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.pem -out certificatename.pfx
Summary
openssl pkcs12 -in .\oldCert.pfx -out .\oldCert.pem
openssl req -new -key oldCert.pem -out newCert.csr -config .\csr_details.txt
openssl req -in .\newCert.csr -noout -text
openssl pkcs7 -print_certs -in .\newCert.p7b -out newCert.cer
openssl pkcs12 -export -in newCert.cer -inkey .\oldCert.pem -out newCert.pfx
Links
DigiCert - General CSR Creation Guidelines
DigiCert - Creating a CSR for Microsoft Servers Using the DigiCert® Certificate Utility for Windows
DigiCert - OpenSSL Quick Reference Guide
DigiCert - SSL Tools - Check your CSR
DigiCert - How to decode a Certificate Signing Request (CSR) file using OpenSSL
DigiCert - How to convert .pfx file to .pem format including private key
Chocolatey OpenSSL
choco install openssl
DigiCert - How to convert a certificate into the appropriate format
Extracting PEM Certificates from a .p7b Bundle File
Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.