How to create a CSR with OpenSSL
OpenSSL is available on many platforms
(for Windows binaries e.g., see http://www.openssl.org/related/binaries.html")
and can be used to generate a key pair and a CSR. The most convenient way,
in our opinion, is to write a short OpenSSL configuration file which you
feed to the openssl req
command afterwards (but
feel free to use an alternative procedure if you prefer).
Create a text file named myserver.cnf
(where myserver
is supposed to denote the name/FQDN of your server)
with the following content:
# OpenSSL configuration file for creating a CSR for a server certificate # Adapt at least the FQDN and ORGNAME lines, and then run # openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr # on the command line. # the fully qualified server (or service) name FQDN = foo.example.org # the name of your organization # (see also https://www.switch.ch/pki/participants/) ORGNAME = Example University # subjectAltName entries: to add DNS aliases to the CSR, delete # the '#' character in the ALTNAMES line, and change the subsequent # 'DNS:' entries accordingly. Please note: all DNS names must # resolve to the same IP address as the FQDN. ALTNAMES = DNS:$FQDN # , DNS:bar.example.org , DNS:www.foo.example.org # --- no modifications required below --- [ req ] default_bits = 2048 default_md = sha256 prompt = no encrypt_key = no distinguished_name = dn req_extensions = req_ext [ dn ] C = CH O = $ORGNAME CN = $FQDN [ req_ext ] subjectAltName = $ALTNAMES
The CN attribute is the only attribute which must always
be specified in a CSR for a SWITCHpki server certificate. All other attributes
are optional (as far as the CSR is concerned), but some of them will automatically
be added to the issued certificate, if needed: C
(countryName),
ST
(stateOrProvinceName), L
(localityName) and
O
(organizationName). If desired, an OU
(organizationalUnit) attribute can be included in the request.
The CN attribute must be set to the fully qualified domain name
of your server - i.e. www.example.com
, www.subdomain.example.com
or similar. The ALTNAMES
line can be used to specify subjectAltName entries
if you prefer specifying them this way (otherwise, simply use the text field
on the enrollment form).
Then, after having saved the myserver.cnf
file, create the key pair and the CSR
with the following command(s):
$ touch myserver.key $ chmod 600 myserver.key $ openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr
This will create a 2048-bit RSA key pair, store the private key in the file
myserver.key
and write the CSR to the file myserver.csr
.
The private key is stored with no passphrase. Changing the permissions to 600
(i.e. -rw-------) restricts access to the (confidential) private key to the owner
of the file (on a non-UNIX system, use a directory with restrictive file ACLs or equivalent).
The CSR can then be submitted through the SWITCHpki QuoVadis certificate request form.
To examine your CSR, use the following command (prints subject, public key and requested extensions, if present):
$ openssl req -in myserver.csr -noout -text -nameopt sep_multiline