Generating Certificate Signing Requests using OpenSSL

Requesting SSL Certificates can be a bit of a hassle, so today I’m going to show you how to easily generate SSL certificates with the help of OpenSSL and your CA of choice.

First we need to generate a Certificate Signing Request (CSR) and a private key using OpenSSL, I’m running it in Ubuntu on WSL2, which is a handy way of using Linux tools on your Windows machine.

Generating Private Key and Certificate Signing Request

openssl req -newkey rsa:4096 -keyout PRIVATEKEY.key -out MYCSR.csr 

Let’s break down what the command does and what the parameters do:

openssl
OpenSSL is the tool used to (amongst a lot of other things) generate our private key and CSR

reg
Tells OpenSSL to generate a Certificate Signing Request (CSR) which is what we’ll send to the Certificate Authority (CA)

-newkey rsa:4096
Tells OpenSSL that we also would like a new private key, and to generate that using RSA with a key length of 4096 bits.

You can also use 2048 bits, which is a bit faster (some researchers have found that the TLS handshake takes around 25 ms longer with a 4096 bit key instead of 2048 bits) but I usually stick to 4096 bits.

-keyout PRIVATEKEY.key
Fairly straight forward, this simply tells OpenSSL where to save the private key file.

-out MYCSR.csr
Likewise, this tells OpenSSL where we want the CSR-file.

OpenSSL will now ask you quite a lot of information

grumpy@Aora:/$ openssl req -newkey rsa:4096 -keyout PRIVATEKEY.key -out MYCSR.csr

 Generating a RSA private key
 …………………………….++++
 ……………………………………………………………………………………………………………………..++++
 writing new private key to 'PRIVATEKEY.key'
 Enter PEM pass phrase:
 Verifying - Enter PEM pass phrase:
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 Country Name (2 letter code) [AU]:FI
 State or Province Name (full name) [Some-State]:Pohjanmaa
 Locality Name (eg, city) []:Vaasa
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fun Facts Oyj
 Organizational Unit Name (eg, section) []:Department of Paranormal Affairs
 Common Name (e.g. server FQDN or YOUR name) []:testserver.example.org
 Email Address []:somedude@example.org
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:

The most important part here is the PEM pass phrase, aka. the password that let’s you decrypt the private key. It’s really important that you don’t loose this, otherwise you will not be able to use the certificate.

What of this that actually needs to be filled out depends on your CA and how strict of a certificate you’re looking to get, but you’ll need to at least provide a Common Name, which is the DNS name of the server/website you’re trying to secure.

Acquiring a Certificate

When all this is said and done, you’ll just have to upload your certificate to your CA, and they will usually give you back a file or a block of text looking something like this.

-----BEGIN CERTIFICATE-----
RmluZCBhIGhvYmJ5IGZvciBHb2QncyBzYWtlLiBEaWQgeW91IHRoaW5rIEkgd291bGQgcHV0IGEgcmVhbCBjZXJ0aWZpY2F0ZSBoZXJlPyAKCkxvcmVtIGlwc3VtIGRvbG9yIHNpdCBhbWV0LCBjb25zZWN0ZXR1ciBhZGlwaXNjaW5nIGVsaXQuIFF1aXNxdWUgbGFvcmVldCBzZWQgbnVuYyBpZCBmYXVjaWJ1cy4gUGVsbGVudGVzcXVlIHByZXRpdW0sIHR1cnBpcyBuZWMgbW9sbGlzIGVsZWlmZW5kLCBsaWJlcm8gZXN0IGV1aXNtb2QganVzdG8sIGVnZXQgdGluY2lkdW50IGxpYmVybyBudWxsYSBhIGxvcmVtLiBEdWlzIG1hbGVzdWFkYSB0dXJwaXMgdXQgbW9sbGlzIGdyYXZpZGEuIEN1cmFiaXR1ciBhYyBuZXF1ZSBlbmltLiBWaXZhbXVzIGZldWdpYXQgZXJvcyBub24gbmliaCBjb25ndWUgc2VtcGVyIGVnZXQgaWQgZXJvcy4gUGhhc2VsbHVzIGlkIG51bmMgbmVjIG1ldHVzIHZpdmVycmEgZWZmaWNpdHVyLiBNYXVyaXMgc2VkIGVsaXQgZmluaWJ1cywgdmVoaWN1bGEgbmlzaSBpZCwgY29tbW9kbyBsaWd1bGEuIEludGVnZXIgc2FnaXR0aXMgbmVxdWUgdmVsIHRvcnRvciBmZXVnaWF0LCBhIGFjY3Vtc2FuIGVyb3MgZGFwaWJ1cy4gU2VkIGF1Z3VlIG1hZ25hLCBjb25zZWN0ZXR1ciBhYyBqdXN0byBpbiwgdHJpc3RpcXVlIGN1cnN1cyBuZXF1ZS4gTmFtIHZlc3RpYnVsdW0gYWMgbGFjdXMgcXVpcyBvcm5hcmUuIEFlbmVhbiBhYyBiaWJlbmR1bSBuaXNsLiBBbGlxdWFtIG9kaW8gbGVvLCBwb3J0YSB1dCBzb2RhbGVzIHNpdCBhbWV0LCBoZW5kcmVyaXQgdmVsIG5pYmguIFByb2luIGlhY3VsaXMgZGljdHVtIHVybmEgZWdldCB0ZW1wdXMuCgpRdWlzcXVlIHNlZCB2ZWhpY3VsYSBhbnRlLiBRdWlzcXVlIHV0IGxpYmVybyBtYXhpbXVzIGVuaW0gc2NlbGVyaXNxdWUgdGVtcG9yIHNlZCBzZWQgdmVsaXQuIFF1aXNxdWUgbmlzbCB2ZWxpdCwgdGluY2lkdW50IHNlZCBsb3JlbSBpZCwgY29tbW9kbyB2b2x1dHBhdCBlc3QuIE51bmMgYXQgZW5pbSBmZXVnaWF0LCBjb25zZXF1YXQgbG9yZW0gYWMsIHJ1dHJ1bSBkdWkuIE1hZWNlbmFzIHRyaXN0aXF1ZSBwbGFjZXJhdCBwdXJ1cyBldSBzb2xsaWNpdHVkaW4uIExvcmVtIGlwc3VtIGRvbG9yIHNpdCBhbWV0LCBjb25zZWN0ZXR1ciBhZGlwaXNjaW5nIGVsaXQuIERvbmVjIG5vbiBjdXJzdXMgZXN0LCBuZWMgY29udmFsbGlzIGVyYXQuIFBoYXNlbGx1cyBldCBibGFuZGl0IGxlbywgdmVsIGNvbnNlY3RldHVyIGR1aS4gRnVzY2UgdHJpc3RpcXVlLCBuaXNsIGEgdmVoaWN1bGEgZnJpbmdpbGxhLCBmZWxpcyBkaWFtIHZlbmVuYXRpcyBlc3QsIGEgbHVjdHVzIGZlbGlzIGVsaXQgYXQgc2FwaWVuLiBFdGlhbSBpbXBlcmRpZXQgaW4gYXVndWUgaWQgaWFjdWxpcy4gQ3VyYWJpdHVyIGlhY3VsaXMgbmlzaSBtYWduYSwgZXUgY29tbW9kbyBsZWN0dXMgYmxhbmRpdCBhdC4gRG9uZWMgcG9ydGEgbGVvIHNlZCBtYWduYSBzdXNjaXBpdCwgdXQgZWdlc3RhcyBlbGl0IGFjY3Vtc2FuLiBQcmFlc2VudCBhbGlxdWFtIG1ldHVzIGluIG1hdXJpcyBhbGlxdWFtLCBhIHRpbmNpZHVudCBlbmltIGZpbmlidXMuIENyYXMgZWxlbWVudHVtIGF1Y3RvciBtaSBzaXQgYW1ldCB2aXZlcnJhLiBBbGlxdWFtIGNvbmd1ZSBzZW1wZXIganVzdG8gdmVsIG9ybmFyZS4gUHJvaW4gdmVzdGlidWx1bSBzYXBpZW4gaW4gZmF1Y2lidXMgbHVjdHVzLgoKVXQgY29uc2VxdWF0IGxhY3VzIGF0IHZlbGl0IHZhcml1cyBvcm5hcmUuIE51bmMgZHVpIHNlbSwgZmV1Z2lhdCBpbiB0aW5jaWR1bnQgdmVsLCB0ZW1wb3IgcXVpcyBtaS4gQ3JhcyBldCBldWlzbW9kIGVyYXQuIFBoYXNlbGx1cyBldSBleCBwb3J0YSwgb3JuYXJlIGlwc3VtIGF0LCBsYWNpbmlhIGxpZ3VsYS4gQWxpcXVhbSBkaWFtIGxlbywgY29uZ3VlIHZlbmVuYXRpcyBvZGlvIGlkLCBhdWN0b3IgZWdlc3RhcyBlbGl0LiBNYWVjZW5hcyB2b2x1dHBhdCBmZXVnaWF0IHZlbGl0LCBlZ2V0IGNvbnNlcXVhdCBtYXNzYSBwb3J0dGl0b3IgYXQuIFV0IGVsZW1lbnR1bSBsYWNpbmlhIHNhcGllbiBpZCBjb252YWxsaXMuIEN1cmFiaXR1ciBtYWxlc3VhZGEgdGVtcHVzIG51bmMuIFByb2luIGVnZXQgbmlzaSB2ZWwgdHVycGlzIHNvZGFsZXMgcHVsdmluYXIgZWdldCBpZCBhdWd1ZS4gRG9uZWMgYWMgc2FwaWVuIGRhcGlidXMsIGVsZWlmZW5kIGxlbyB2aXRhZSwgdGluY2lkdW50IGVyYXQuCgpNYXVyaXMgcXVpcyBtYXNzYSBsb3JlbS4gU3VzcGVuZGlzc2UgcG90ZW50aS4gTWF1cmlzIHZlc3RpYnVsdW0gdG9ydG9yIGFjIG5pc2wgYmxhbmRpdCBjb25ndWUuIERvbmVjIHZpdmVycmEgdmVzdGlidWx1bSBxdWFtIGV1IGxvYm9ydGlzLiBWaXZhbXVzIHV0IHRlbXBvciBzYXBpZW4uIE5hbSBmcmluZ2lsbGEgcGVsbGVudGVzcXVlIGFyY3Ugbm9uIHJob25jdXMuIEFsaXF1YW0gdGluY2lkdW50LCB2ZWxpdCB2b2x1dHBhdCB0aW5jaWR1bnQgc3VzY2lwaXQsIGVyYXQgYW50ZSBydXRydW0gbWFnbmEsIGEgYmxhbmRpdCBqdXN0byBudWxsYSB1dCBhcmN1LiBTZWQgYSBlbGVtZW50dW0gdG9ydG9yLiBQZWxsZW50ZXNxdWUgY29uZGltZW50dW0gc2FwaWVuIGluIHNhcGllbiBzY2VsZXJpc3F1ZSwgbm9uIGZlcm1lbnR1bSBuaWJoIHJ1dHJ1bS4gUHJhZXNlbnQgc2NlbGVyaXNxdWUgZmVsaXMgbmliaCwgaWQgZmluaWJ1cyBzYXBpZW4gcHVsdmluYXIgYWMuCgpTdXNwZW5kaXNzZSBwb3RlbnRpLiBOdWxsYW0gYWMganVzdG8gdXQgbmliaCB2YXJpdXMgbWF0dGlzLiBOdWxsYSBwdWx2aW5hciwgbWFzc2EgY29uc2VxdWF0IGxhY2luaWEgZGFwaWJ1cywgbmlzaSB0dXJwaXMgcG9ydHRpdG9yIGFudGUsIGEgdnVscHV0YXRlIG5pc2kgbGVjdHVzIGluIG51bGxhLiBEb25lYyBmYXVjaWJ1cyB0b3J0b3Igdml0YWUgbGliZXJvIGNvbnNlcXVhdCBjb25zZXF1YXQuIERvbmVjIG5lYyBtYWduYSBldSBsYWN1cyBldWlzbW9kIGNvbnNlcXVhdC4gVmVzdGlidWx1bSBtb2xsaXMsIHRvcnRvciBzaXQgYW1ldCBydXRydW0gbWF4aW11cywgbWFnbmEgZHVpIHVsdHJpY2llcyBmZWxpcywgcXVpcyBkaWduaXNzaW0gYXVndWUgbGFjdXMgcXVpcyBsb3JlbS4gTWFlY2VuYXMgc29kYWxlcyBzZWQu
-----END CERTIFICATE-----

Save this as a .pem file in the same directory as the CSR and private key you entered earlier.

Generating PKCS #12 Files

Usually most systems will accept the separate PEM certificate and private key, but it’s a lot handier if you can just store them as a single file. PKCS #12 allows you to bundle certificates and keys together, which is handy when you need to install your certificate, along with it’s key and other intermediate CA certificates. This can be easily done as well with OpenSSL

grumpy@Aora:/$ openssl pkcs12 -export -out CERTIFICATE_BUNDLE.pfx -inkey PRIVATEKEY.key -in CERTIFICATE.pem
Enter pass phrase for PRIVATEKEY.key:
 Enter Export Password:
 Verifying - Enter Export Password:

OpenSSL will ask you for the passphrase for you private key file, and then for another passphrase which it uses to encrypt the private key inside the PKCS #12 file.

You can use both .pfx or .p12 as the file extension for PKCS #12 files.




Categories: Tech

Tags: , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: