OpenSSL Generating a Certificate Signing Request: Difference between revisions

From UNIX Systems Administration
Jump to navigation Jump to search
Line 13: Line 13:
# Create a config file to be configured with the multiple subdomains.
# Create a config file to be configured with the multiple subdomains.
#: <tt>'''# cat << EOL >> <config_file>.cnf'''</tt>
#: <tt>'''# cat << EOL >> <config_file>.cnf'''</tt>
#:<tt>'''[ req ]'''</tt>
[ req ]  
  #:<tt>'''default_bits      = 2048'''</tt>
  default_bits      = 2048  
  #:<tt>'''default_keyfile    = <private_key>.key'''</tt>
  default_keyfile    = <private_key>.key  
  #:<tt>'''distinguished_name = req_distinguished_name'''</tt>
  distinguished_name = req_distinguished_name  
  #:<tt>'''req_extensions    = req_ext'''</tt>
  req_extensions    = req_ext  
#:
 
#:<tt>'''[ req_distinguished_name ]'''</tt>
[ req_distinguished_name ]  
#:<tt>'''countryName                = Country Name (2 letter code)'''</tt>
countryName                = Country Name (2 letter code)  
#:<tt>'''countryName_default        = US'''</tt>
countryName_default        = US  
#:<tt>'''stateOrProvinceName        = State or Province Name (full name)'''</tt>
stateOrProvinceName        = State or Province Name (full name)  
#:<tt>'''stateOrProvinceName_default = New York'''</tt>
stateOrProvinceName_default = New York  
#:<tt>'''localityName                = Locality Name (eg, city)'''</tt>
localityName                = Locality Name (eg, city)  
#:<tt>'''localityName_default        = New York'''</tt>
localityName_default        = New York  
#:<tt>'''organizationName            = Organization Name (eg, company)'''</tt>
organizationName            = Organization Name (eg, company)  
#:<tt>'''organizationName_default    = Example'''</tt>
organizationName_default    = Example  
#:<tt>'''commonName                  = Common Name (e.g. server FQDN or YOUR name)'''</tt>
commonName                  = Common Name (e.g. server FQDN or YOUR name)  
#:<tt>'''commonName_max              = 64'''</tt>
commonName_max              = 64  
#:
 
#:<tt>'''[ req_ext ]'''</tt>
[ req_ext ]  
#:<tt>'''subjectAltName = @alt_names'''</tt>
subjectAltName = @alt_names  
#:
 
#:<tt>'''[alt_names]'''</tt>
[alt_names]  
#:<tt>'''DNS.1  = <domain>.com'''</tt>
DNS.1  = <domain>.com  
#:<tt>'''DNS.2  = www.<domain>.com'''</tt>
DNS.2  = www.<domain>.com  
#:<tt>'''DNS.3  = *.<domain>.com'''</tt>
DNS.3  = *.<domain>.com  
#:<tt>'''EOL'''</tt>
EOL  
# Generate the CSR from the private key using openssl.
# Generate the CSR from the private key using openssl.
#: <tt>'''# openssl req -new -key <key_name>.key -out <csr_name>.csr'''</tt>
#: <tt>'''# openssl req -new -key <key_name>.key -out <csr_name>.csr'''</tt>

Revision as of 04:03, 15 November 2020

Generate the Certificate Signing Request (CSR)

Apache with mod_ssl Enabled (No subjectAltName)

  1. If required follow the OpenSSL Generating a Private Key procedure.
  2. For Apache purposes, use the key with no pass phrase to generate the CSR file.
  3. Generate the CSR from the private key using openssl.
    # openssl req -new -key <key_name>.key -out <csr_name>.csr
  4. Enter the information as required by the prompts.
  5. Verify the checksum of the key matches the checksum CSR.
    # openssl req -noout -modulus -in <csr_name>.csr | openssl md5

Apache with mod_ssl Enabled (With subjectAltName)

  1. If required follow the OpenSSL Generating a Private Key procedure.
  2. For Apache purposes, use the key with no pass phrase to generate the CSR file.
  3. Create a config file to be configured with the multiple subdomains.
    # cat << EOL >> <config_file>.cnf
[ req ] 
default_bits       = 2048 
default_keyfile    = <private_key>.key 
distinguished_name = req_distinguished_name 
req_extensions     = req_ext 

[ req_distinguished_name ] 
countryName                 = Country Name (2 letter code) 
countryName_default         = US 
stateOrProvinceName         = State or Province Name (full name) 
stateOrProvinceName_default = New York 
localityName                = Locality Name (eg, city) 
localityName_default        = New York 
organizationName            = Organization Name (eg, company) 
organizationName_default    = Example 
commonName                  = Common Name (e.g. server FQDN or YOUR name) 
commonName_max              = 64 

[ req_ext ] 
subjectAltName = @alt_names 

[alt_names] 
DNS.1   = <domain>.com 
DNS.2   = www.<domain>.com 
DNS.3   = *.<domain>.com 
EOL
  1. Generate the CSR from the private key using openssl.
    # openssl req -new -key <key_name>.key -out <csr_name>.csr
  2. Enter the information as required by the prompts.
  3. Verify the checksum of the key matches the checksum CSR.
    # openssl req -noout -modulus -in <csr_name>.csr | openssl md5

Further Reading

  1. How to Generate SSL key, CSR, and Self Signed Certificate for Apache
Retrieved from "http://www.outlandsmud.com/wiki/index.php?title=OpenSSL_Generating_a_Certificate_Signing_Request&oldid=1222"