Step to generate a CSR file. CSR file is a request file that is then submitted to the vendor for getting an SSL certificate for a webserver.
CSR is a Certificate Signing Request file. It will be generated on the server on which the SSL certificate will be used. This file contains details about the organization and URL in an encrypted format. Whenever you approach any vendor for getting an SSL certificate for your web server, you have to submit this CSR file to them. Based on information in this CSR file your certificate will be generated.
How to generate CSR using OpenSSL
Let’s jump into creating our CSR using the most commonly used method ie. using OpenSSL. It’s a two-way process –
- Create a private key
- Generate CSR using the private key
Create a private key
Using openssl
generate 2048 bit key file *.key. This key file will be used for the generation of CSR. This command will ask you for a password that will be assigned within the key file. Use the password of your choice. This password you need to supply while generating CSR.
[root@kerneltalks ~]# openssl genrsa -des3 -out kerneltalks.com.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
..............................................................................................................................................................................................................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for kerneltalks.com.key:
Verifying - Enter pass phrase for kerneltalks.com.key:
Read also: How to install an SSL certificate on Apache webserver
Generate CSR file using key
Now generate CSR file using the key file we generated in the above step.
[root@kerneltalks ~]# openssl req -new -key kerneltalks.com.key -out kerneltalks.comcsr -sha256
Enter pass phrase for kerneltalks.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:Personal
Organizational Unit Name (eg, section) []:Personal
Common Name (eg, your name or your server's hostname) []:kerneltalks.com
Email Address []:contact@kerneltalks.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Note that sha256 will generate CSR with the SHA2 algorithm which is preferred normally. If -sha256 argument is not given, CSR will be generated with SHA1 which is outdated and normally not preferred.
Once you get a CSR file, you cat check its using cat. Its a bunch of encrypted code which you can even decode and check information within on this link. If there is any typo in data you can regenerate CSR before submitting it to the vendor.
How to generate CSR using Java keytool
Some people create a CSR file using java Keystore. Let’s walk you through, how to create a certificate signing request using java keytool.
Firstly your web server must have java installed and you should have java binary directory know. This is where keytool
command binary resides.
It’s too 2 step process –
- Create java Keystore
- Generate CSR using java Keystore
Create java Keystore
keytool is a java binary used to run below commands. Here while generating Keystore you will be asked all the website-related information.
# keytool -genkey -alias server -keyalg RSA -keystore kerneltalks.com.jks -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: kerneltalks.com
What is the name of your organizational unit?
[Unknown]: Personal
What is the name of your organization?
[Unknown]: Personal
What is the name of your City or Locality?
[Unknown]: Mumbai
What is the name of your State or Province?
[Unknown]: Maharashtra
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=kerneltalks.com, OU=Personal, O=Personal, L=Mumbai, ST=Maharashtra, C=IN correct?
[no]: yes
Enter key password for <server>
(RETURN if same as keystore password):
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore kerneltalks.com.jks -destkeystore kerneltalks.com.jks -deststoretype pkcs12".
Create CSR using java Keystore
Now use the above created Keystore i.e. jks file and generate CSR file.
[root@kerneltalks ~]# keytool -certreq -keyalg RSA -alias server -file kerneltalks.com.csr -keystore kerneltalks.com.jks
Enter keystore password:
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore kerneltalks.com.jks -destkeystore kerneltalks.com.jks -deststoretype pkcs12".
Once done you can give this CSR to your vendor for SSL certificate procurement.