Certificate Signing Request
In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. The most common format for CSRs is the PKCS #10 specification and another is the Signed Public Key and Challenge Spkac format generated by some Web browsers.
Create a Certificate Request (CSR)
[root@fedora101 tls]# openssl req -config /etc/pki/tls/openssl.cnf -new -nodes -keyout fedora101.key -out fedora101.csr -days 100 Generating a 2048 bit RSA private key ....................................................................+++ ..+++ writing new private key to 'fedora101.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :UP Locality Name (eg, city) [Default City]:Meerut Organization Name (eg, company) [Default Company Ltd]:Plentree Enterprise Ltd Organizational Unit Name (eg, section) : Common Name (eg, your name or your server's hostname) :Amit Vashist Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : [root@fedora101 tls]#
Two files are created upon completion of these instructions. fedora101.key is generated and put into the private folder. This is a private key file specfic to the domain that the certificate request was created for. fedora101.csr is generated and put into the CA folder. This is a certificate request file and can be used to generate a certificate specific to the domain the certificate request was created for.
[root@fedora101 tls]# ls cert.pem certs fedora101.csr fedora101.key misc openssl.cnf private [root@fedora101 tls]#
Now you can send CSR file to CA Server in order sign & get the new CA Signed certificate for you.
[root@fedora101 CA]# openssl ca -config openssl.cnf -in /etc/pki/tls/fedora101.csr -out /tmp/fedora101.crt
[root@fedora101 CA]# openssl ca -config openssl.cnf -in /etc/pki/tls/fedora101.csr -out /tmp/fedora101.crt Using configuration from openssl.cnf Enter pass phrase for /etc/pki/CA/private/ca.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 11 18:15:02 2015 GMT Not After : Apr 10 18:15:02 2016 GMT Subject: countryName = IN stateOrProvinceName = UP organizationName = Plentree Enterprise Ltd commonName = Amit Vashist emailAddress = email@example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D6:6E:9E:60:23:85:D1:ED:21:33:22:59:1C:96:CE:B0:38:5C:37:39 X509v3 Authority Key Identifier: keyid:2A:FC:86:41:D9:84:9E:9C:B6:6A:0C:19:B1:8C:A8:A4:A1:A4:97:EA Certificate is to be certified until Apr 10 18:15:02 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@fedora101 CA]#
To verify your certificate please run the below mentioned command on CA Server:
[root@fedora101 CA]# openssl x509 -subject -issuer -enddate -noout -in /tmp/fedora101.crt subject= /C=IN/ST=UP/O=Plentree Enterprise Ltd/CN=Amit Vashist/emailAddressfirstname.lastname@example.org issuer= /C=IN/ST=UP/L=Meerut/O=Plentree Enterprise Ltd/CN=Amit Vashist/emailAddressemail@example.com notAfter=Apr 10 18:15:02 2016 GMT [root@fedora101 CA]#
Some Sample Errors:
[root@server101 CA]# openssl ca -config /etc/pki/CA/openssl.cnf -in /tmp/fedora101.csr -out /tmp/fedora101.crt Using configuration from /etc/pki/CA/openssl.cnf Enter pass phrase for ./private/ca.key: Check that the request matches the signature Signature ok The countryName field needed to be the same in the CA certificate (US) and the request (IN) [root@server101 CA]#