How to generate an SSL certificate request using openssl
This document shows you how to generate a request for an SSL certificate to be signed by a recognised certificate authority such as Versign.
There are a number of ways to complete this exercise, we are going to use the command openssl to create the private key first and then use that private key to generate the certificate request.
Create a private key
To create a private key use the following command.
openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus ..........................................................................+++ .....................................................................+++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:
This creates a 2048 bit key using the cryptographic algorithm RSA. Quite often keys are generated as pairs, and as two separate files, one file contains the public key and the other the private key. With OpenSSL however the private key also contains the public key. RSA can be used for both encryption and for signing whereas the other popular algorithm associated with certificates - DSA, is for signing only.
Create a certificate request
Next type the following command to create the certificate request, valid for 365 days, using the key just generated.
Substitute the examples with your data and answer the other questions with relevant information when requested.
openssl req -new -key server.key > www.example.com.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]:Example Ltd Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.example.com Email Address []:email@example.com
Check the contents of a certificate request
To check the contents of the certificate request use the following command.
openssl req -in www.example.com.csr -noout -text
Certificate Request: Data: Version: 0 (0x0) Subject: C=GB, ST=Berkshire, L=Newbury, O=Example Ltd, CN=www.example.com/emailAddress=email@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:b4:1e:d8:c0:5c:e1:fd:b2:ab:5d:b5:9f:c6:39: b4:c6:c8:5b:9c:a8:f4:32:cb:dc:e9:99:bb:da:78: 96:fb:d8:d7:9b:d6:45:a2:47:53:e7:b9:3f:a6:46: fe:9e:08:b1:38:72:a4:87:78:31:76:78:75:4c:f1: 93:e6:31:37:f4:dc:33:6f:0b:8d:61:45:07:10:45: 94:b7:c8:ee:e1:cc:86:ea:5b:16:45:4c:12:cf:2c: f7:75:95:1f:0b:c6:39:6a:9d:0e:a8:59:42:2b:2f: 8e:bb:ab:b8:63:a5:a5:45:19:9c:b4:be:d9:16:eb: 19:0e:74:53:40:4d:b0:72:7e:32:75:74:5f:5f:a9: 97:40:e1:e0:9c:9f:a2:fe:af:bd:9f:a7:6a:79:12: 3e:3b:b6:0f:6b:16:56:db:22:b8:3a:76:15:c8:f8: 66:02:62:19:db:20:4c:f3:2e:93:a4:7f:fe:20:69: 04:e3:e5:68:55:05:48:14:70:c0:63:7c:0c:c1:92: 51:55:bb:8c:2a:0c:18:ca:e6:25:eb:21:bb:91:cf: 19:db:c0:51:7d:08:38:36:e6:4d:48:93:b7:7b:d8: 98:75:53:24:e8:f2:cc:27:f6:fc:44:7b:df:4a:75: 56:f4:14:18:7e:cc:89:9d:b6:cb:65:4f:ce:33:6b: 1e:b7 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 63:af:95:d9:60:e1:ca:ff:f5:65:fb:ad:0a:be:c1:4f:4d:e0: 42:d7:40:c3:ab:51:f2:d6:71:89:7d:9f:b9:8c:05:cd:e2:9e: d9:a8:11:d8:7f:16:63:83:d3:bc:59:92:fe:ba:7e:84:89:c6: 9d:e8:d8:4d:20:2e:46:4b:32:43:f1:ff:07:3a:6f:1f:26:d5: 79:05:24:40:5a:3a:67:19:05:aa:19:a1:68:c2:bd:13:e4:0e: 8d:bc:87:b4:5e:ae:c5:f3:52:e4:9b:d6:15:0f:89:fd:a9:41: 79:a0:ed:ac:61:2d:52:85:bd:8f:a7:e5:94:7b:e4:04:39:b1: ce:c5:07:0f:df:2a:41:d4:11:f4:f3:f8:55:73:2e:b3:9a:ff: 4c:aa:37:7f:74:c3:c5:06:c6:bf:8c:2e:b7:6e:ef:6b:14:17: 10:c0:42:80:2d:13:65:87:43:0b:da:ea:1e:81:f2:81:67:78: 30:b8:48:d4:97:95:42:88:84:8b:f0:7d:62:ae:25:ba:bd:91: ef:75:09:7b:6f:8a:10:b7:81:d6:66:3f:c1:8e:63:b0:d8:ef: 2e:03:41:0f:d0:95:a0:e5:d9:17:32:67:cb:00:d8:10:12:60: 57:c2:b2:cc:d9:c6:78:e9:2b:ab:80:5a:02:1c:52:92:d0:2d: cc:68:b5:d5
Decrypt the private key
To decrypt the private key and send the output to standard out (screen)
openssl rsa -noout -text -in server.key
Enter pass phrase for server.key: