SSL · May 6, 2021 0

How to easily generate a Certificate Signing Request (CSR) with OpenSSL

If you manage Linux (or any Unix variant) Servers – specifically web-servers, one of the tasks that frequently befall you is to secure the servers with SSL Certificates.

The de-facto standard implementation of SSL / TLS on Linux is OpenSSL.

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.

Source: https://www.openssl.org/

A typical certificate generation process consists of the following steps:

  1. Generate a Certificate Signing Request (CSR): A CSR is a block of encoded text that is generated on the server where the certificate will be installed. A CSR is also known as a Self-Signed Certificate, where the certificate has not been validated or signed by a Certificate Authority. While a self-signed certificate can be used to deliver websites over SSL, it is bound to produce an invalid certificate error when the site is loaded in a browser.
  2. Upload the CSR to a Certificate Authority (CA): A certificate authority is a third-party service provider that issues signed digital certificates that are trusted by the subject (owner) of the certificate as well as other parties relying on this certificate. This step usually involves a payment to the CA for their signing services.
  3. Install the signed Certificate on the Server: Once the CA returns the signed certificate, it needs to be installed on the server.

To generate a CSR you need to issue a command line instruction to OpenSSL. The command includes key pieces of information such as the FQDN (fully-qualified domain name) of the server, the organization the certificate belongs to, department, location etc. and requires a bit of Linux CLI knowledge as well as information of OpenSSL command-line options to get done.

The easier way out is to use a third-party tool that assists you with the CSR generation. One such tool is the OpenSSL CSR Tool from DigiCert. This tool accepts the required information via a web-form and outputs the final command-line syntax for OpenSSL required to generate the CSR.

Once you have the OpenSSL command handy, all you need to do is issue the same via the Linux CLI to generate your CSR.

shell> openssl req -new -newkey rsa:2048 -nodes -out chaos-laboratory_com.csr -keyout chaos-laboratory_com.key -subj "/C=VA/ST=Heavenly Abode/L=City of Angels/O=Chaos Laboratory/OU=Information Technology/CN=chaos-laboratory.com"

Easy peasy!!