How to generate an SSL certificate request using openssl

 

This document shows you how to generate a request for an SSL certificate to be signed by a recognised certificate authority such as Versign.

There are a number of ways to complete this exercise, we are going to use the command openssl to create the private key first and then use that private key to generate the certificate request.

Create a private key

To create a private key use the following command.

openssl genrsa -des3 -out server.key 2048

Generating RSA private key, 2048 bit long modulus
..........................................................................+++
.....................................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

This creates a 2048 bit key using the cryptographic algorithm RSA. Quite often keys are generated as pairs, and as two separate files, one file contains the public key and the other the private key. With OpenSSL however the private key also contains the public key. RSA can be used for both encryption and for signing whereas the other popular algorithm associated with certificates - DSA, is for signing only.

Create a certificate request

Next type the following command to create the certificate request, valid for 365 days, using the key just generated.

Substitute the examples with your data and answer the other questions with relevant information when requested.

openssl req -new -key server.key > www.example.com.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:Example Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:email@example.com

Check the contents of a certificate request

To check the contents of the certificate request use the following command.

openssl req -in www.example.com.csr -noout -text

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=GB, ST=Berkshire, L=Newbury, O=Example Ltd, CN=www.example.com/emailAddress=email@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:b4:1e:d8:c0:5c:e1:fd:b2:ab:5d:b5:9f:c6:39:
                    b4:c6:c8:5b:9c:a8:f4:32:cb:dc:e9:99:bb:da:78:
                    96:fb:d8:d7:9b:d6:45:a2:47:53:e7:b9:3f:a6:46:
                    fe:9e:08:b1:38:72:a4:87:78:31:76:78:75:4c:f1:
                    93:e6:31:37:f4:dc:33:6f:0b:8d:61:45:07:10:45:
                    94:b7:c8:ee:e1:cc:86:ea:5b:16:45:4c:12:cf:2c:
                    f7:75:95:1f:0b:c6:39:6a:9d:0e:a8:59:42:2b:2f:
                    8e:bb:ab:b8:63:a5:a5:45:19:9c:b4:be:d9:16:eb:
                    19:0e:74:53:40:4d:b0:72:7e:32:75:74:5f:5f:a9:
                    97:40:e1:e0:9c:9f:a2:fe:af:bd:9f:a7:6a:79:12:
                    3e:3b:b6:0f:6b:16:56:db:22:b8:3a:76:15:c8:f8:
                    66:02:62:19:db:20:4c:f3:2e:93:a4:7f:fe:20:69:
                    04:e3:e5:68:55:05:48:14:70:c0:63:7c:0c:c1:92:
                    51:55:bb:8c:2a:0c:18:ca:e6:25:eb:21:bb:91:cf:
                    19:db:c0:51:7d:08:38:36:e6:4d:48:93:b7:7b:d8:
                    98:75:53:24:e8:f2:cc:27:f6:fc:44:7b:df:4a:75:
                    56:f4:14:18:7e:cc:89:9d:b6:cb:65:4f:ce:33:6b:
                    1e:b7
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        63:af:95:d9:60:e1:ca:ff:f5:65:fb:ad:0a:be:c1:4f:4d:e0:
        42:d7:40:c3:ab:51:f2:d6:71:89:7d:9f:b9:8c:05:cd:e2:9e:
        d9:a8:11:d8:7f:16:63:83:d3:bc:59:92:fe:ba:7e:84:89:c6:
        9d:e8:d8:4d:20:2e:46:4b:32:43:f1:ff:07:3a:6f:1f:26:d5:
        79:05:24:40:5a:3a:67:19:05:aa:19:a1:68:c2:bd:13:e4:0e:
        8d:bc:87:b4:5e:ae:c5:f3:52:e4:9b:d6:15:0f:89:fd:a9:41:
        79:a0:ed:ac:61:2d:52:85:bd:8f:a7:e5:94:7b:e4:04:39:b1:
        ce:c5:07:0f:df:2a:41:d4:11:f4:f3:f8:55:73:2e:b3:9a:ff:
        4c:aa:37:7f:74:c3:c5:06:c6:bf:8c:2e:b7:6e:ef:6b:14:17:
        10:c0:42:80:2d:13:65:87:43:0b:da:ea:1e:81:f2:81:67:78:
        30:b8:48:d4:97:95:42:88:84:8b:f0:7d:62:ae:25:ba:bd:91:
        ef:75:09:7b:6f:8a:10:b7:81:d6:66:3f:c1:8e:63:b0:d8:ef:
        2e:03:41:0f:d0:95:a0:e5:d9:17:32:67:cb:00:d8:10:12:60:
        57:c2:b2:cc:d9:c6:78:e9:2b:ab:80:5a:02:1c:52:92:d0:2d:
        cc:68:b5:d5

Decrypt the private key

To decrypt the private key and send the output to standard out (screen)

openssl rsa -noout -text -in server.key

Enter pass phrase for server.key: