How to generate CSR using OpenSSL

Rohan Islam
5 min readMar 9, 2021

--

What is SSL?

SSL (Secure Sockets Layer) is a protocol, which is used for encrypting web traffic and verifying the web server identity.

What is TLS?

TLS (Transport Layer Security) is actually updated version of SSL. The name of the protocol was changed to TLS when SSL 3.1 was developed as TLS version 1.0. That’s why it is often called as SSL/TLS protocol.

What is SSL/TLS Certificate?

SSL/TLS certificate is a digital certificate, which is issued by a Certificate Authority (CA). This certificate is used to send/receive web requests in encrypted form over SSL/TLS protocol. It is also know as public key certificate and identity certificate.

What is CSR?

A CSR (Certificate Signing Request) is a request in the form of message or text, which is required to obtain SSL/TLS certificate from a Certificate Authority.

What is OpenSSL?

OpenSSL is an open source cryptography and SSL/TLS Toolkit. It can be installed on both Windows and Linux operating systems.

How to Install OpenSSL?

If you are using a Linux machine such as RHEL or Ubuntu, most likely OpenSSL is already installed. If not you can easily install it from respective repository.

However, if you are on a Windows machine, you can easily install OpenSSL from Chocolatey. You just need to run the following command on an Administrators command prompt to install the latest version of OpenSSL.

> choco install openssl

How to generate CSR?

CSR can be generated in many ways. However, I find using OpenSSL is pretty cool, which can be used to generate CSR independently.

Login to a machine where OpenSSL is installed and run the following command to generate a CSR. Update the key and csr file name as per your wish.

# openssl req -new -newkey rsa:2048 -nodes -keyout <test.mydomain.com>.key -out <test.mydomain.com>.csr -sha256

Make sure to provide correct input to form the Distinguished Name. I have used some example values. Note that I left last three fields blank.

# openssl req -new -newkey rsa:2048 -nodes -keyout test.mydomain.com.key -out test.mydomain.com.csr -sha256
Generating a 2048 bit RSA private key
.............................................................................................................+++
............+++
writing new private key to 'test.mydomain.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:West Bengal
Locality Name (eg, city) [Default City]:Kolkata
Organization Name (eg, company) [Default Company Ltd]:My Organization
Organizational Unit Name (eg, section) []:My Organization Unit
Common Name (eg, your name or your server's hostname) []:test.mydomain.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now let’s see what files are created. So, the command created a csr file and a key file. This is the private key, do not share this with anyone. This key will be needed later to install the certificate once issued by the CA.

# ls -l
Mar 9 13:38 test.mydomain.com.csr
Mar 9 13:38 test.mydomain.com.key

Now, run the following command to verify the csr file.

# openssl req -noout -text -in <csr file name>

This will give the following output, where we can see the Distinguished Name that we provided during CSR creation.

# openssl req -noout -text -in test.mydomain.com.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IN, ST=West Bengal, L=Kolkata, O=My Organization, OU=My Organization Unit, CN=test.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:d4:c9:05:e0:1f:77:51:43:94:a0:c1:b9:80:
2f:d6:2c:a3:9c:18:49:52:73:c7:3c:a2:29:c9:a0:
74:49:2b:8d:1f:9e:99:2d:5d:06:a1:2f:90:20:48:
42:be:cf:f4:42:4d:b3:b2:ed:76:a8:ba:4e:7c:c2:
88:62:ab:a4:eb:d4:d8:64:26:3c:a1:cb:e2:b1:e1:
b0:06:16:9a:b1:f0:bb:52:2b:e2:61:3e:9b:45:5f:
dc:f4:64:fe:3a:a0:22:29:44:79:ed:3c:56:e7:d4:
53:80:a0:fa:d4:62:f9:e4:57:a4:98:33:a8:a2:17:
f2:89:8b:42:55:43:e5:d4:9b:98:28:08:53:c4:7d:
82:a0:77:6d:c6:8c:ae:37:04:f1:16:7a:9c:99:23:
d4:bd:d6:9e:be:42:f4:3b:be:df:7b:83:53:b2:a5:
a1:e2:a5:e7:83:01:9e:cf:1d:5c:c1:d2:d2:c2:4d:
51:ce:3c:e7:c1:7b:06:db:e0:16:ae:eb:47:29:2b:
ed:f9:58:04:fe:af:0b:7c:4b:e7:d3:6d:13:1a:ec:
00:3c:75:46:d6:a9:b2:42:49:6a:75:65:6b:78:40:
2d:15:e2:e9:63:6e:93:3a:b2:b3:03:7d:7b:a4:b9:
7d:f1:31:92:70:18:9c:dd:97:86:b5:b8:bb:82:81:
dc:a1
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
a6:5d:a2:ad:30:18:ea:c8:11:dd:3a:aa:85:1a:63:c7:c5:bc:
22:9f:11:81:4b:e6:d1:3f:fb:02:c9:01:61:a9:1d:63:77:4a:
c8:f3:d7:d1:db:7b:b5:7d:60:53:b0:33:d0:ee:9a:d9:a2:e6:
6b:21:59:ca:d7:be:ef:19:ee:d9:98:2d:1b:55:a5:4d:46:8d:
9e:cb:cd:46:71:ea:e0:0c:10:96:f6:44:5a:dc:ab:24:e2:eb:
37:0e:ee:d7:8f:21:81:79:43:ae:5b:74:54:94:6b:dd:87:f3:
0a:ef:4c:a8:95:81:d1:a2:42:db:17:9f:0e:87:59:44:36:e2:
10:3a:5f:07:c7:15:7e:06:d3:14:f2:da:b5:fc:85:94:32:2e:
d2:98:c6:0c:18:ae:bb:9b:a7:bb:0f:62:d0:d7:55:7a:92:7b:
ff:c5:fb:ae:4b:65:21:a7:e1:73:17:35:b1:26:00:cd:1c:5a:
71:ca:44:c4:ab:4c:97:cb:42:f3:9b:f9:99:7a:ab:0a:ca:c6:
50:28:5a:af:bd:87:9c:04:fd:ae:f3:99:b8:06:63:34:82:50:
e4:df:17:cb:c0:bd:fc:7a:8e:fc:9c:f1:21:7b:0b:88:66:53:
e7:63:c6:96:ed:f3:47:c8:41:95:cd:d6:64:ff:14:b7:fb:77:
49:ae:1a:96

The above example is a simple CSR file, that you can provide to your CA to get a new SSL/TLS certificate. The CN here is the URL of your web application.

Generate CSR including SAN(s)

In many cases we need to add SAN(s) (Subject Alternative Name) to the CSR. SAN is required when the certificate needs to support multiple DNS names in addition to the DNS name (CN) of the application URL.

In this section, we will see how we can generate a CSR with SAN using OpenSSL.

Create a file called san.cnf and paste the following text. Make sure to replace the values of DNS.1 and DNS.2 with your additional DNS names that you want to add the the CSR. You can add more DNS names by adding DNS.3 and DNS.4 and so on.

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[req_distinguished_name]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server's hostname)
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = <dnsname1.mydomain.com>
DNS.2 = <dnsname2.mydomain.com>

Run CSR generation command again but this time with -config switch, which points to the san.cnf file that we created.

# openssl req -new -newkey rsa:2048 -nodes -keyout <test.mydomain.com>.key -out <test.mydomain.com>.csr -sha256 -config san.cnf

Then, follow the instruction on screen to complete the CSR.

Now, if we verify the CSR file we will be able to see the additional DNS names are added to the CSR under Subject Alternative Name.

# openssl req -noout -text -in test.mydomain.com.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IN, ST=West Bengal, L=Kolkata, O=My Organization, OU=My Organization Unit, CN=test.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:da:02:42:a4:a3:26:8a:87:25:86:75:5f:62:66:
61:98:d5:54:d8:fd:ce:4b:a4:36:cd:cb:99:25:f1:
e6:02:71:d5:19:cb:5c:3e:5c:fa:5a:45:72:b2:be:
28:ab:4e:23:fc:7a:3a:7b:c8:f1:57:20:2c:f7:0d:
07:69:83:6f:4f:1e:e0:ca:ea:27:6e:b0:ea:e0:b6:
c4:e8:78:b8:8d:1c:68:b1:c3:a8:36:3d:a5:93:9c:
9e:d0:20:06:31:e8:ce:75:53:df:0e:19:a7:a1:69:
95:eb:a9:bc:1b:8a:cd:36:6b:69:9a:0a:99:ff:82:
9d:4a:6b:09:aa:52:80:93:d8:e5:32:0b:00:29:9e:
1f:43:b5:76:79:6e:ae:44:89:55:c2:e6:28:f4:a9:
b4:0c:e0:2d:c3:42:a6:f3:50:9f:33:7f:d0:19:3e:
9d:a6:da:13:1e:31:1c:6e:5e:7f:6a:e9:52:54:d4:
ac:43:f8:52:35:e7:42:17:47:1d:89:1c:01:da:67:
e5:39:e4:c4:82:9c:42:4e:1c:56:e0:3f:27:5e:39:
74:9c:1f:08:78:78:91:92:17:65:9a:46:4d:2a:95:
7b:88:ee:5d:79:43:0b:b0:d0:79:98:15:30:5c:5a:
47:53:3a:d7:e7:aa:6e:b8:26:a8:dd:f0:0a:36:1d:
5e:91
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:dnsname1.mydomain.com, DNS:dnsname2.mydomain.com

Signature Algorithm: sha256WithRSAEncryption
9a:6d:1d:b1:9c:5e:b2:18:04:a4:dd:4c:6d:7a:3b:0d:1d:d0:
a8:a9:7c:47:b9:5e:34:d9:98:1d:87:98:91:d5:76:62:1b:cc:
e6:e6:81:92:e7:59:0d:63:ac:ec:a4:16:99:52:bf:a1:e5:96:
8f:54:99:ea:7f:f4:71:de:31:85:17:0f:31:6d:18:73:70:8e:
66:7e:f5:c0:88:1b:3b:61:4d:84:66:ba:a0:bb:57:b8:d3:17:
1d:37:a9:cd:45:1b:73:fd:d7:6e:c9:c4:f9:6c:4d:34:83:b7:
e8:92:76:40:f5:ec:73:f3:b1:a3:54:39:a1:c6:9e:a1:8c:d6:
4a:30:5e:41:89:a5:51:4c:65:ef:38:1d:25:1b:c8:5f:07:08:
4f:93:a8:bf:92:30:b4:48:89:40:ac:f8:c9:46:95:9d:e5:e3:
6b:53:78:03:3d:e4:69:d6:e1:48:ca:06:de:75:ef:e1:9c:46:
03:bf:b7:39:d2:e3:f3:93:8e:28:07:01:79:11:6e:9a:93:80:
26:39:8f:5a:09:2e:0e:da:98:7b:3b:ec:30:4f:c5:05:ef:34:
32:a9:9d:04:19:15:89:47:ae:2b:5c:63:1d:43:e6:40:d1:55:
d8:61:67:10:2c:fc:f5:b0:fc:68:58:b1:f6:52:4e:6e:ee:d2:
90:6a:2e:33

Thanks for reading, give it a 👏 if you like it. Please leave a comment and let me know if you have any feedback.

Some useful commands

Generate pfx:
openssl pkcs12 -export -out <file_name>.pfx -inkey <private_key_file_name>.key -in <public_cert_file_name>.crt -certfile root.crt
Verify pfx:
openssl pkcs12 -nokeys -cacerts -chain -in <file_name>.pfx
Verify installed certificate:
Openssl> s_client -connect <DNS name>:443 -servername <servername> -showcerts
Covert pfx to crt:
openssl pkcs12 -in ./<file_name>.pfx -clcerts -nokeys -out <file_name>.crt
Export private key:
openssl pkcs12 -in ./<file_name>.pfx -nocerts -out <file_name>.key
Decrypt private key:
openssl rsa -in <file_name>.key -out <decrypted_file_name>.key

--

--

Rohan Islam
Rohan Islam

Written by Rohan Islam

Cloud Architect | Continuous learner | Passionate about technologies

Responses (1)