Skip to main content

Signing Public Certificates using OpenSSL

Creating a Private Key and Certificate Signing Request (CSR)

Use the following OpenSSL command to generate a Private Key and a Certificate Signing Request for signing a public certificate against a public Certificate Authority

openssl req -newkey rsa:2048 -keyout login-hpnlab-net.key -out login-hpnlab-net.csr

Let's break down what this command is doing.

     *
  •  The green text options tell OpenSSL that we're requesting something

    •   *

  •  The yellow text options tell OpenSSL to create a private key

    •   *

  •  The red text options tell OpenSSL to create a Certificate Signing Request

OpenSSL will need some additional information to finish creating the Certificate Signing Request. The highlighted text is the information filled out to finish creating the Certificate Signing Request. 

~/certificates/login.hpnlab.net$ openssl req -newkey rsa:2048 -keyout login-hpnlab-net.key -out login-hpnlab-net.csr
.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......................+...+.........+.....+....+...........+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..........+......+....+...+...+............+.....+................+..............+...+....+...+...+..+.+...........+.+..+.+....................+.+...+..+....+.....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...............+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Enter PEM pass phrase: <enter a secret password here>
Verifying - Enter PEM pass phrase: <re-type your secret password here>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:North Dakota
Locality Name (eg, city) []:West Fargo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:HPN Lab
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:login.hpnlab.net
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Once the command has finished running we'll be left with two files, the Private Key and the Certificate Signing Request

~/certificates/login.hpnlab.net$ ls -lh
total 8.0K
-rw-rw-r-- 1 tyler tyler 1001 Sep 11 09:02 login-hpnlab-net.csr
-rw------- 1 tyler tyler 1.9K Sep 11 09:01 login-hpnlab-net.key

The next step is to copy the contents of the Certificate Signing Request and submit it to a public Certificate Authority for signing. The highlighted text is what gets submitted for signing.

~/certificates/login.hpnlab.net$ cat login-hpnlab-net.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICqzCCAZMCAQAwZjELMAkGA1UEBhMCVVMxFTATBgNVBAgMDE5vcnRoIERha290
YTETMBEGA1UEBwwKV2VzdCBGYXJnbzEQMA4GA1UECgwHSFBOIExhYjEZMBcGA1UE
AwwQbG9naW4uaHBubGFiLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANLFOtCCMm+YFMUWu2NICNLqXKbotbnU0XwJ+NTXqw+9TxYU4tPIXPKXVWGQ
0tfZwYz+bOrfa2HhLUy3c9J9eX2ccyUoVBU7QBhVWSyvuShCkuZ2D4aqth/s0zxi
nHgCP8wTC5x5W2sK3orrRfCPxohL62l66DXRxh9eX5hSiTZ5+SqOMQdhr7f4alFP
KtJfiBehcH+KBE2BGbS61G0Ij9B6TEZ8OB8oHXC6EA3AkScsbSaj0+yy5DBCV9mj
mwfIpYExVpTfbsos5MaT0QfQLcu0eysh2D1mg74Jyq0yfdZkR8q64kKDsQChGuAt
0RfXFqeUv0xHienJlnTRDuhNM/cCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAp
drJJ4eclrfQz1WXofLfCCaRcpdhe/+SytpQmb77DRMTHQrXXCMCrHplgNusZr7rA
z38A50mFIq/4jqT74R6kyZsXkKPCHMY1hXyKKdZWMT76tPLIFgKnI1e/b+IH45f3
NnN7wN6AMQFaaTLyBKGUr5nnCU5kU5LsvmhHUkf4jJJl5gcfI4d9QV7MYBHsZw7J
XrOZ7bx3mwSz3w8Z5sl1+tqzEzOfdTwFCGLQeHBEEHCnffIJM63wdJ/NnaBRfocC
weawU/sh67uQoW0YKGRAGihNC24er9+8qQ/MPWBubogEt/z0KTsSE7sGRwZUQgVs
G/t6rbRn6MDL7Zwu5Qzc
-----END CERTIFICATE REQUEST-----

 

Submit a Certificate Signing Request to a public Certificate Authority for Signing

 

Back to top