OpenSSL Generating a Certificate Signing Request

From UNIX Systems Administration
Jump to navigation Jump to search

Generate the Certificate Signing Request (CSR)

Apache with mod_ssl Enabled (No subjectAltName)

  1. If required follow the OpenSSL Generating a Private Key procedure.
  2. For Apache purposes, use the key with no pass phrase to generate the CSR file.
  3. Generate the CSR from the private key using openssl.
    # openssl req -new -key <key_name>.key -out <csr_name>.csr
  4. Enter the information as required by the prompts.
  5. Verify the checksum of the key matches the checksum CSR.
    # openssl req -noout -modulus -in <csr_name>.csr | openssl md5

Apache with mod_ssl Enabled (With subjectAltName)

  1. If required follow the OpenSSL Generating a Private Key procedure.
  2. For Apache purposes, use the key with no pass phrase to generate the CSR file.
  3. Create a config file to be configured with the multiple subdomains.
    # cat << EOL >> <config_file>.cnf
    [ req ]
#:default_bits       = 2048
#:default_keyfile    = <private_key>.key
#:distinguished_name = req_distinguished_name
#:req_extensions     = req_ext
  1. [ req_distinguished_name ]
    countryName = Country Name (2 letter code)
    countryName_default = US
    stateOrProvinceName = State or Province Name (full name)
    stateOrProvinceName_default = New York
    localityName = Locality Name (eg, city)
    localityName_default = New York
    organizationName = Organization Name (eg, company)
    organizationName_default = Example
    commonName = Common Name (e.g. server FQDN or YOUR name)
    commonName_max = 64
    [ req_ext ]
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = <domain>.com
    DNS.2 = www.<domain>.com
    DNS.3 = *.<domain>.com
    EOL
  2. Generate the CSR from the private key using openssl.
    # openssl req -new -key <key_name>.key -out <csr_name>.csr
  3. Enter the information as required by the prompts.
  4. Verify the checksum of the key matches the checksum CSR.
    # openssl req -noout -modulus -in <csr_name>.csr | openssl md5

Further Reading

  1. How to Generate SSL key, CSR, and Self Signed Certificate for Apache