Technical Blog Post
Abstract
Secure with Digital Certificate: Create Certificate Signing Request with OpenSSL
Body
Author: Manisha Khond
Before you request certificate from the Certificate Authority, you have to generate Certificate Signing Request (CSR).
What is a CSR?
A CSR or Certificate Signing request is a block of encoded text that is provided to a Certificate Authority when requesting an SSL Certificate. A CSR consists mainly of the public key of a key pair, and some additional information. Both of these components are inserted into the certificate when it is signed.
What Information Is Included in a CSR?
The CA will use the data from the CSR to build your SSL Certificate. The CSR include information about your business and the website you’re trying to secure, including:
| Common Name (CN) (*.companyname.com) | Fully Qualified Domain Name of your server |
| Organization (O) | The legal name of your Organization |
| Organizational Unit (OU) | The division of your Organization handling the Certificate |
| City/Locality (L) | The City where your Organization is located. |
| State (S) | The State where your Organization is located. |
| Country (C) | 2 letter code of the country where your Organization is located |
| Email address | Email address used to contact your Organization |
There are several tools available that you can use to create CSR. This blog specifically demonstrate creating CSR with OpenSSL.
Below example creates a CSR with RSA keylength 2048, SHA256 Cryptographic hash algorithm.
openssl req \
-new -sha256 -newkey rsa:2048 -nodes \
-subj '/CN=www.ibm.com/O=IBM/C=US/ST=Michigan/L=Ann Arbor' \
-keyout mykey1.pem -out myreq1.pem
Output:
Generating a 2048 bit RSA private key
.....................................+++
...+++
writing new private key to 'mykey1.pem'
The above OpenSSL command creates a private key mykey1.pem and creates a CSR myreq1.pem
Content of the Private key mykey1.pem.
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAuaxly4fmrph+Le16qAuQ+or8O1deSeULGomwuUc1FQx0Sdrv
yVe6x8EybMjq4dAq+fqYjY/gFnIlGt+j+v/Y2EDDgA4vPs+cwMdt88qN9b/I6Pua
+vg6J0TZwZL8eHxe3mLEQszBAnfqW2jowHntaEjRC84j5jNlz98Pgm/S87k2SzTI
saVDQRPZva4+oDMzRzSwELWCsO53atu76r7ygFkPNusMpL4sfrsXMWuzKIuJh7X7
l8bD45FbBJ/IJ1O3GNQVsMsweeya4A6oorYf7O2QWSu8Q6vRfF8fXhnrusC2h/2n
uXEH2klX3eJk+ongTOSfCXy+GPxFr+pqPMExxwIDAQABAoIBAB6gOyI5RmmiKZ31
v/ecAMvyxOwc2yahKxWzhHzrK+xO45eTD15MpDhyu5iKA4Q/y/bzyNoA01ugdFJc
dTXfoar588VZkZ1wrVB3FMHTtVrFyaP0bHndG+qCRtDRJ+fPy+4uqGTEVUnM8dEm
Gs40zl4XNLQXyoAcFj0Vc/915nvg1wuThvHnkbdHtJPdk1gU4Yr+6RAwq+GjnUWm
flEn/9mqdF7JZuWSNvUAbUiv2Xakrr3XBefRsyysejyuz+st5IY/UNq/Kq9uK7Vu
ariQsCsgbcdrZ8UifUiyt6SCCZx4fQSfEvc1ynuI9VIvHu/IYeAt2RowJS9ugeNc
/YsrnhECgYEA35FtJA60ZWVvo6Dmk8hHqqkZtqgp8GZH4i8PQ0Shz2Twg3BZhCpc
obzCgEIPVna1v3fqiWosUQFJag+0wZXos/wW8D1xS6fEjoVvJXBHyGJeZO1z+42h
wHxXhzyjCbCEGN9l0foauJya0Dz8o4zHHGL54OxpD3himsbnvIyS0mUCgYEA1Juw
wRFtiVdeZp9zziMs531dzYYPGSz3OLPe8Z+qNZY3ALv25gueZEUKZDrIufEb/yTU
Z1v7SKB0NF/7clIAsCDEvugyT7TRcNJOzSfV6J7E9AJOSxg3wydXZM6V81zuYiTH
NVIBD/qs8k/A1TSPz2jnunc6QDug4gtgJxPCWrsCgYA3/Jc0XGpYqhpXA8g6YgFw
f4Bs+ZfnF/YQcnCEC//pjAGfKNeB/YnNBxQ+QkzM/lVtaX5Wgzwt3QChiuVdRUlN
KWglKX3h0FWsy0WWPpP7Xob9B2nwKPvE1F6nA0xg9M9f2zIIb3WZnb43P86UtoB2
X2LsLMfyk9c9o2oNEbcC8QKBgDwHWXipuwu0J2tCSihBtkQGGZ4V491v3L2dy6zd
L+nBZ/ZFHAkH7sjQ1YZHMrWNZiI7+9zTE7gF1cmT8CLvFFKmbeaZGNt4ako4lxdF
0BfF/EYJAKIjTFtFmF9WFPCJpKUBTV24saQZWwtviTqphJFDRWpYj5HjRCGOpK9j
3NRRAoGAMaNg2hzhzhArRCpSugj/uIhNJrAIlSkj5FRqtXL82ZxgjIH/IjcFw9qt
l2Dik0sVPJrLqrr1jdmdtOjuXgT78nB6mOqG5/ixE9NO0+7wvWvYqjkv61hOAjot
g3xf8OqEUpP6uzQFet1Yr8Y1T19lOEYo8ci8dCCvaogL1WCIdz8=
-----END RSA PRIVATE KEY-----
Content of Certificate Signing request (CSR) myreq1.pem.
-----BEGIN CERTIFICATE REQUEST-----
MIICnTCCAYUCAQAwWDEUMBIGA1UEAxMLd3d3LmlibS5jb20xDDAKBgNVBAoTA0lC
TTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1pY2hpZ2FuMRIwEAYDVQQHEwlBbm4g
QXJib3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5rGXLh+aumH4t
7XqoC5D6ivw7V15J5QsaibC5RzUVDHRJ2u/JV7rHwTJsyOrh0Cr5+piNj+AWciUa
36P6/9jYQMOADi8+z5zAx23zyo31v8jo+5r6+DonRNnBkvx4fF7eYsRCzMECd+pb
aOjAee1oSNELziPmM2XP3w+Cb9LzuTZLNMixpUNBE9m9rj6gMzNHNLAQtYKw7ndq
27vqvvKAWQ826wykvix+uxcxa7Moi4mHtfuXxsPjkVsEn8gnU7cY1BWwyzB57Jrg
Dqiith/s7ZBZK7xDq9F8Xx9eGeu6wLaH/ae5cQfaSVfd4mT6ieBM5J8JfL4Y/EWv
6mo8wTHHAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAgJ2yMNfZxanOVBO2EoPk
AR8OCl3QDiMJ/K0vopwbI6YTq1pOLUgcmbG5GTdLAIfz9DswSGeerurR4vnpI2bP
dCaf9MUEJEo/vREYvBqeYq2fnC8X1ENHNCkVWZahk7FNb0joAwEUL2T0Xh2kTFZk
4WzotjCW+A6u0vDyf3ErYLEKlhsjGWrgddyz7/ioWOHvZ3WWlpoW6uMpgN656Hn7
lo9m7UyHMeIeJ/RHdgLrQUiHShvV2iZU36YFop8opnwL8Hwp9mT4ubknQwN6mNPF
/4dynS5Z0FkBNWKGOGWJxNqJRc2836bJE1WOj/JQgK0eDnTgJfaRAV+cMf7FwU1m
rA==
-----END CERTIFICATE REQUEST-----
| Private Key: |
 |
|
CSR:
|
|
|
Now you have the Private key and the Certificate Signing Request. You can proceed to request a Certificate from Certificate Authority.
UID
ibm11120605