Whenever you need to have an SSL certificate, you will always need to create a CSR (Certificate Signing Request) in order to get your certificate signed (and thus trusted) by a CA (Certificate Authority).
Say for example you are building and hosting your own website, for which you bought a domain. In order for your website to get that nice looking padlock that indicates HTTPS traffic.
Now it’s important to note that you can also just self-sign a certificate. However since you are not a trusted CA, your certificate will work but it will not show up as trusted. Where browsers will give you an ugly warning message saying that this certificate isn’t trusted, which you probably don’t want users to have to deal with.
First things first
OpenSSL is one of the most common used tools to manage and create certificates, because of its wide support, I will also be using it.
First and foremost, before you can create a CSR, you have to know for which domain you plan on enabling SSL for. I will be using the example from the introduction, my very own hosted website. All it needs now is a (DNS) name, let’s say I want a certificate for my website “mygreenpadlock.i8c.be”. Because we want to use the certificate to authenticate the identity of our server (server certificate), we have to make sure the CN (Common Name) that we pass to the certificate matches with our DNS name.
I will talk about 2 different ways of creating a CSR:
Create your Certificate Signing Request
You can set the following information when creating your CSR:
- Country Name (2 letter code): BE
- State or Province Name (full name): Antwerpen
- Locality Name (eg, city) : Kontich
- Organization Name (eg, company): i8c
- Organizational Unit Name (eg, section) : Integration
- Common Name: mygreenpadlock.i8c.be
- Email Address: firstname.lastname@example.org
- A challenge password:
- An optional company name:
OpenSSL creation wizard
The following command creates a CSR (which contains your public key certificate) and the associated private key which is very important to keep securely:
openssl req -utf8 -sha256 -newkey rsa:2048 -keyout mygreenpadlock.i8c.be.key -out mygreenpadlock.i8c.be.csr
This command will prompt for a password to encrypt the private key. This private key will be needed by the webserver to decrypt the traffic. I strongly recommend to use a strong autogenerated password with tools such as LastPass or Bitwarden.
If you do not want a password for the private key, you can add
-nodes to the above command and it will skip private key encryption.
After running the command, you will be prompted several questions by the OpenSSL wizard. These questions are regarding the contents of the CSR, which I briefly mentioned above.
Alternative: based on a template
This method is by far the easiest when you have to create CSR’s for several (sub)domains. It consists of using a template file in which you can preset the properties of your CSR, while afterwards the only thing you have to change is the CN (Common Name) part of the template.
- First create the following
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] C = BE ST = Antwerpen L = Kontich O = i8c OU = Integration CN = mygreenpadlock.i8c.be [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = mygreenpadlock.i8c.be
- You can add multiple alternative names by incrementing the
DNS.#, up to 99 extra names:
DNS.1 = mygreenpadlock.i8c.be DNS.2 = www.mygreenpadlock.i8c.be
- Open a terminal in the same directory and use the following command to generate your CSR and (encrypted) private key. Replace the values between the brackets:
openssl req -batch -config template.cnf -new -out <myserver>.csr -keyout <private_key>.pem -passout pass:<PASSWORD>
- Repeat these steps for each domain you want to create a CSR for and thus eventually a signed certificate.
Now, off to get these certificates signed! Which is an entirely different process for which I might write a separate blog for. I hope you found this helpful in your quest of generating certificates via a CSR and eventually getting them signed.