Certificate Signing Request

Certificate Signing Request

In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. The most common format for CSRs is the PKCS #10 specification and another is the Signed Public Key and Challenge Spkac format generated by some Web browsers.

Create a Certificate Request (CSR)

[root@fedora101 tls]# openssl req -config /etc/pki/tls/openssl.cnf -new -nodes -keyout fedora101.key -out fedora101.csr -days 100
Generating a 2048 bit RSA private key
writing new private key to 'fedora101.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:UP
Locality Name (eg, city) [Default City]:Meerut
Organization Name (eg, company) [Default Company Ltd]:Plentree Enterprise Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Amit Vashist
Email Address []:plentree.ca@vashist.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@fedora101 tls]#

Two files are created upon completion of these instructions.  fedora101.key is generated and put into the private folder.  This is a private key file specfic to the domain that the certificate request was created for.  fedora101.csr is generated and put into the CA folder.  This is a certificate request file and can be used to generate a certificate specific to the domain the certificate request was created for.

[root@fedora101 tls]# ls
cert.pem  certs  fedora101.csr  fedora101.key  misc  openssl.cnf  private
[root@fedora101 tls]#

Now you can send CSR file to CA Server in order sign & get the new CA Signed certificate for you.

[root@fedora101 CA]# openssl ca -config openssl.cnf -in /etc/pki/tls/fedora101.csr -out /tmp/fedora101.crt
[root@fedora101 CA]# openssl ca -config openssl.cnf -in /etc/pki/tls/fedora101.csr -out /tmp/fedora101.crt
Using configuration from openssl.cnf
Enter pass phrase for /etc/pki/CA/private/ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
            Not Before: Apr 11 18:15:02 2015 GMT
            Not After : Apr 10 18:15:02 2016 GMT
            countryName               = IN
            stateOrProvinceName       = UP
            organizationName          = Plentree Enterprise Ltd
            commonName                = Amit Vashist
            emailAddress              = plentree.ca@vashist.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
            X509v3 Authority Key Identifier: 

Certificate is to be certified until Apr 10 18:15:02 2016 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@fedora101 CA]#

To verify your certificate please run the below mentioned command on CA Server:

[root@fedora101 CA]# openssl x509 -subject -issuer -enddate -noout -in /tmp/fedora101.crt 
subject= /C=IN/ST=UP/O=Plentree Enterprise Ltd/CN=Amit Vashist/emailAddress=plentree.ca@vashist.com
issuer= /C=IN/ST=UP/L=Meerut/O=Plentree Enterprise Ltd/CN=Amit Vashist/emailAddress=plentree.ca@vashist.com
notAfter=Apr 10 18:15:02 2016 GMT
[root@fedora101 CA]#

Some Sample Errors:

[root@server101 CA]# openssl ca -config /etc/pki/CA/openssl.cnf -in /tmp/fedora101.csr -out /tmp/fedora101.crt
Using configuration from /etc/pki/CA/openssl.cnf
Enter pass phrase for ./private/ca.key:
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (US) and the request (IN)
[root@server101 CA]#

About Amit Vashist

Amit Vashist is someone who brings with him a treasure full of experience of over 8 years in open source technologies. When it comes to virtualization he has single handedly managed end-to-end migration projects in KVM and Xen that involved right from sizing the systems to P2V of existing physical servers. He understands what can go wrong in virtualized world and how to take care of it. He also has root level knowledge on Red Hat platforms and has commissioned & Lamp; Provides Corporate Training over Red Hat HA clusters. Now days Supporting Telecom Giant Billing & Support system, gaining experience on JBoss, Splunk, SQL, Nagios, Apache & Fuse ..etc.
This entry was posted in File System, Linux, OpenSSL, Uncategorized and tagged , , , , , . Bookmark the permalink.

One Response to Certificate Signing Request

  1. Pingback: OpenSSL | Share our secret

Please share your valuable suggestions/comments..!!!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s