How to generate a CSR (certificate signing request) file to produce a valid certificate for web-server or any application? This article will walk you through how to create a CSR file using the OpenSSL command line, how to include SAN (Subject Alternative Names) along with the common name, how to remove PEM password from the generated key file.
Generating CSR file with common name
1.Login to Linux server where the OpenSSL utility is available.
# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr Generating a 2048 bit RSA private key ..............................................................+++ .............+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:TAMILNADU Locality Name (eg, city) [Default City]:COIMBATORE Organization Name (eg, company) [Default Company Ltd]:VSTACKL Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:vstackl.com Email Address []:su*******h@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # ls -lrt server* -rw-r--r-- 1 root root 1708 Apr 25 17:08 server.key -rw-r--r-- 1 root root 1062 Apr 25 17:08 server.csr #
2. Validate the CSR file by decoding it in the online portal. Copy the certificate content and paste it on the portal page.
3. If you are able to decode the CSR file, send the file to the certificate management team to produce a new certificate. Mostly active directory team handles this request in an enterprise organization.
3. Based on the CSR file , they can generate a new certificate . Please safely keep server.key for certificate implementation.
Generating CSR file with the common name and SAN’s
1.Create a new file with SAN’s . You can have more than one SAN (subject alternative name)
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = vstackl.com DNS.2 = www.vstackl.com DNS.3 = cloudstack.com
In the above file, i had added three SAN’s .
- vstackl.com
- www.vstackl.com
- cloudstack.com
2. Execute the following command to generate the CSR with multiple SAN. Here, I added PEM pass phase for additional security.
# openssl req -new -newkey rsa:2048 -keyout server.key -out server.csr -config san_cnf Generating a 2048 bit RSA private key .........................................+++ .......................+++ writing new private key to 'server.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:IN State or Province Name (full name) []:TAMILNADU Locality Name (eg, city) []:COIMBATORE Organization Name (eg, company) []:VSTACKL Common Name (e.g. server FQDN or YOUR name) []:vstackl.com
3. You can validate the CSR(decode) file using the sslshopper portal .
How to remove PEM passphrase from key file ?
You could encounter an issue while restarting web servers after implementing a new certificate. In many cases, PEM passphrase won’t allow reading the key file. You want to remove the PEM passphrase, run the following command to stripe-out key without a passphrase.
Error : “PEM_read_bio:no start line error” nginx error
You could run an Nginx validation to know if the issue with a passphrase or not. If it’s prompt for a password, you can remove the passphrase from the key file.
# /usr/sbin/nginx -c /etc/nginx/nginx.conf -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Here is the command to stripped out key. You must pass the passpharse for this action.
# openssl rsa -in server.key -out server-stripped.key Enter pass phrase for server.key: writing RSA key #