IBM Support

How to create Certificate Signing Request with OpenSSL

Technical Blog Post


Abstract

How to create Certificate Signing Request with OpenSSL

Body

Due to various customer and their business partner needs, one may require another to get one of the Certificate Authority (CA) such Symantec (or Verisign), Thawte, Entrust, Comodo, etc, just to name a few.  For this, one would need to create a Certificate Signing Request (CSR) and send it off to the CA to get it signed.

 

You may already know that we have stopped supporting the Sterling Certificate Wizard.

The issue with the last released Sterling Certificate Wizard 1.4.00 version currently is that it does not support creating a SHA2 (SHA256,...) Certificate Signing Request (CSR) to meet the security and industry needs.

Due to the security concerns, we are asking our customers to start using other tools to create their private key and CSR.

While there are many tools out there to help you generate a Certificate Signing Request (your public certificate that is not yet signed by CA) and private key, we recommend the use of latest OpenSSL stable build for your environment to achieve this need. 

 

NOTE:  For Sterling B2B Integrator all builds, you can use a third party tool like OpenSSL to generate a CSR for a certificate.  In addition, for SB2BI 5.2.6.3 build and later, you may also use the IBM Key Management Utility (ikeyman) to do this, too.  For using ikeyman, see the Technote Solution 1985342.

 

Here is a link to download OpenSSL

See License Agreement

OpenSSL Download Reference

 

Here are some of the external web sites that may explain more on Openssl commands

 

Reference 1

and

Reference 2

 

NOTE:  Please note that the OpenSSL product usage is outside of SB2BI support.

If you have any questions, please work with OpenSSL support, check out their forum, and other online forums for more help.

 

As an example and for our need, you may use the following command:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

 

I have downloaded and using a copy of the OpenSSL-Win64 build on my windows system.

 

After install, I was able to generate the private key and CSR per below:

 

Below displays the OpenSSL version I am using:

 

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\OpenSSL-Win64\bin>openssl version -a
OpenSSL 1.0.1u  22 Sep 2016
Fri Sep 23 03:48:49 2016
VC-WIN64A
options:  bn(64,64) rc4(16x,int) des(idx,cisc,2,long) idea(int) blowfish(idx)
compiler: cl -D_USING_V110_SDK71_ -D_WINSOCK_DEPRECATED_NO_WARNINGS  /MD /Ox -DO
PENSSL_THREADS  -DDSO_WIN32 -D_USING_V110_SDK71_ -D_WINSOCK_DEPRECATED_NO_WARNIN
GS -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN
 -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_B
N_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH
_ASM -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_SS
L2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_WEAK_SSL_CIPHERS -DOPENSSL_
NO_STATIC_ENGINE
OPENSSLDIR: "/usr/local/ssl"

 

Below is the command used to create the private key named alex2048opensslprivateKey.key, CSR named alex2048opensslcertificate.crt and both of RSA 2048 bit strengh with SHA256 signing algorithm that would last 731 days and with the password of sterling:

Note:  You would need to enter rest of the certificate information per below.

C:\OpenSSL-Win64\bin>openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key 

 

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\windows\system32>cd C:\OpenSSL-Win64\bin

C:\OpenSSL-Win64\bin>openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
...........................+++
..................+++
writing new private key to 'privateKey.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Dublin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IBM
Organizational Unit Name (eg, section) []:IBM Cognitive Engagement Watson Supply
 Chain
Common Name (e.g. server FQDN or YOUR name) []:oxnard.dub.usoh.ibm.com
Email Address []:admin@someserveratIBM.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:

C:\OpenSSL-Win64\bin>

 

Below is a list of the private key file and CSR within the same bin directory:

 

C:\OpenSSL-Win64\bin>

C:\OpenSSL-Win64\bin>dir
 Volume in drive C has no label.
 Directory of C:\OpenSSL-Win64\bin

[.]                              [..]
.rnd                             
CSR.csr

privateKey.key

 

At this time, you may then send off your CSR file (i.e. CSR.csr) to a trusted Certificate Authority to get it signed.

 

Afterward, when you are in need to combine the private key / signed public cert / Intermediate CA cert / Root cert to form a pkcs12 key file in order to check into SI, you can check out the How to reference:

 

For example:

openssl pkcs12 -export -out alexKeyCertificate.pfx -inkey privateKey.key -in CASignedPublicCertificate.cer -certfile IntermediateCA.cer -certfile root.cer

 

To check in the alexKeyCertificate.pfx p12 or PKCS12 key file, see Check In PKCS12 System Certificates

 

[{"Business Unit":{"code":"BU012","label":"WCE"}, "Product":{"code":"SSMHNK","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11121049