Date: 2008-12-21
Author: Jowita_Choscilowicz, About author »Category: How To
Tags: ca, Certificate Authority, certificate request, CSR, OpenSSL, SSL certificate
RSS CommentsUseful links:
- The OpenSSL Project: http://www.openssl.org/
- OpenSSL for Windows: http://www.slproweb.com/products/Win32OpenSSL.html
We want to get an official SSL certificate from well-known public Certificate Authority (CA). We have to generate a certificate request, for example using OpenSSL.
Steps to request a certificate – to generate a CSR file (Certificate Signing Request)
1. Creating a private key
You need to create a private key before you create a certificate or a certificate request.
- Use command line
- Navigate to folder with OpenSSL (default: “C:\Program Files\OpenSSL\bin”)
- Do one of the following:
- Generate a private key with password. Type the following command:
openssl genrsa -des3 -out MyKey.key 1024
- Generate a private key with no password (not recommended solution). Type the following command:
openssl genrsa -out MyKey.key 1024
IMPORTANT: Keep a private key in a safe place and back up the file. Your certificate is used with private key.
2. Creating CSR-file
- Use command line
- Type the following command:
openssl req -new -key MyKey.key -out YourCSR.csr
You have to enter following information:
- Country Name (C) – The two-letter ISO abbreviation for your country. [US],
- State or Province Name (ST) – The state or province where your organization is located. [Arizona],
- Locality Name (L) – The city where your organization is located. [Phoenix],
- Organization Name (O) – The exact legal name of your organization. [My Company Inc.],
- Organizational Unit Name (OU) – Optional for additional organization information. [IT Department],
- Common Name (CN) – Since this is your root certificate. [mydomain.com],
- Email Address – The email address for the CA (who to contact) [info@mydomain.com],
- Additional attributes – [Enter],
- A challenge password – [Enter],
- An optional company name – [Enter]
3. Private key verification
- Use command line
- Type the following command:
openssl rsa -noout -text -in MyKey.key
4. CSR-file verification
- Use command line
- Type the following command:
openssl req -noout -text -in MyKey.csr
5. Viewing CSR-file contents
CSR-file is a text file, example:
—–BEGIN CERTIFICATE REQUEST—–
RWWQiooCCAYsCAQAwgeExCzAJBgNVBAYTAlBMMREwDwYDVQQIEwhsdWJ1c2tpZTEV
MBMGA1UEBxMMWmllbG9uYSBHb3JhMTkwNwYDVQQKEzBDZW50cnVtIFRlY2hub2xv
Z2lpIEludGVybmV0b3d5Y2ggQ1RwIFNwLiB6IG8uby4xLDAqBgNVBAsTI0R6aWFs
IEJlenBpZWN6ZW5zdHdhIFNpZWNpb3dlZ28gQ1RJMRswGQYDVQQDExJ3d3cuc2Vj
dXJpdHluZXQucGwxIjAgBgkqhkiG9w0BCQEWy2luZm9Ac2VjdXJpdHluZXQucGww
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANPLRce19dfcvQQuiAtjuRhTo5QX
T5/ifOTlYgtCw/jgyP401sglIgBH2o6f6sYJ6m1rO1s42bj4/VJ+R0DUvTinOT8N
snYjUHhCDKzQCEkjASRGUN892o9RIOE0oGRknc7+B/9rGfWjsdouQJMtqiWrn9rj
mKtRCd5/6VJTWyl3AgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBSKrGLWLxexaIc
59ePRJpV+ZQ10HVqhJMtSjrNkXuiDt91c3XBpKowv/n23uuBob8Af/H+s5n45qbq
6i5cYXw+qdz93vzV5M2QMczu3uKwJ6g6pcXgSjjX7w3CqpHnxmD1oooO2THj9bBo
SxEgsSr2k2eOeItxqrMLemA+MP4l9o==
—–END CERTIFICATE REQUEST—–
6. Sending CSR-file to the official commercial CA.