Categories
Apache DevOps HTTP Concepts linux Technology

Create CSR using OpenSSL

Before you can install a Secure Socket Layer (SSL) certificate, you must first generate a certificate signing request (CSR). 

OpenSSL

The following sections describe how to use OpenSSL to generate a CSR for a single host name. 

Install OpenSSL

Check whether OpenSSL is installed by using the following command:

CentOS® and Red Hat® Enterprise Linux®

rpm -qa | grep -i openssl

The following output provides an example of what the command returns:

openssl-1.0.1e-48.el6_8.1.x86_64
openssl-devel-1.0.1e-48.el6_8.1.x86_64
openssl-1.0.1e-48.el6_8.1.i686

Debian® and Ubuntu®

dpkg -l | grep openssl

The following output provides an example of what the command returns:

ii  libgnutls-openssl27:amd64           2.12.23-12ubuntu2.4              amd64        GNU TLS library - OpenSSL wrapper

ii  openssl                             1.0.1f-1ubuntu2.16               amd64        Secure Sockets Layer toolkit - cryptographic utility

If the preceding packages are not returned, install OpenSSL by running the following command:

CentOS and Red Hat

yum install openssl openssl-devel

Debian and Ubuntu

apt-get install openssl

Generate the RSA key

Run the following commands to create a directory in which to store your RSA key, substituting a directory name of your choice:

mkdir ~/domain.com.ssl/
cd ~/domain.com.ssl/

Run the following command to generate a private key:

openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048

Create a CSR

Run the following command to create a CSR with the RSA private key (output is in Privacy-Enhanced Mail (PEM) format):

openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr

When prompted, enter the necessary information for creating a CSR by using the conventions shown in the following table.

FieldMeaningExample
/C=CountryNL
/ST=StateNoord-Holland
/L=LocationAmstelveen
/O=OrganizationSwatantra Inc.
/OU=Organizational UnitSwatantra Solutions
/CN=Common Nameexample.domain.com

Verify your CSR

Run the following command to verify your CSR:

openssl req -noout -text -in ~/domain.com.ssl/domain.com.csr

After you have verified your CSR, you can submit it to a CA to purchase an SSL certificate.

'Coz sharing is caring