Creating a Certificate Signing Request
Environment
- Red Hat Enterprise Linux
- OpenSSL, GNUTLS, certutil, or Java keytool
Issue
- How do I create a Certificate Signing Request for use by a Certificate Signing Authority (CA)?
- How to use genkey to generate the .csr or is there a different way to generate a csr ?
- How to create self certificate and configure https?
Resolution
There are several ways to generate a Certificate Signing Request (CSR). there are several tools that are provided as Part of Red Hat Enterprise Linux (RHEL) or as part of your Java installation. This article covers several different ways to create a CSR using the following tools:
- OpenSSL
- GNUTLS
- Java keytool
- certutil
You can choose how you would like to generate the request.
Note: Your certificate authority (CA) may expect your certificate to be in a certain format or created using a specific tool, please check with your CA to ensure that you are following there provided instructions on creating CSRs.
After successful creation (using your chosen method), the request can be sent to the CA for signing. To see what you can do with the certificate you should read How do I configure a CA and sign certificates using OpenSSL in Red Hat Enterprise Linux?.
OpenSSL
OpenSSL is a tool provided by RHEL that is often tricky to use but makes working with each individual part of (Public Key Infrastructure (PKI) certificates part of your natural work flow. It is the recommended tool because all of the files are separated and can be reviewed individually. It is also the most flexible tool and works across the most environments.
# openssl genrsa -des3 -out private.key 2048
# openssl req -new -sha256 -key private.key -out server.csr
The second command will prompt you to complete the CSR with all the location and identification information. Keep in mind spaces and special characters are not bad but it is best to avoid using them because not all application or CAs accept them.
Alternatively you can run the following command to create a key with no encryption and the CSR in a single command:
# openssl req -new -nodes -newkey rsa:2048 -keyout private.key -out server.csr
The following process also completes the same task, or can be used after a key is created to remove the certificates encryption / password:
# cp private.key private.key.original
# openssl rsa -in private.key.org -out server.key
The file named server.csr is the file that you send to the CA to be signed.
More information on an OpenSSL CA can be found in How do I configure a CA and sign certificates using OpenSSL in Red Hat Enterprise Linux?
Although this is not recommended you may make a self-signed certificate by running the following after running the "openssl genrsa" commands above:
# openssl x509 -req -days 365 -in server.csr -signkey private.key -out server.crt
GNUTLS
In a very similar fashion to the OpenSSL examples above you may use GNUTLS with its libraries and tools. To generate the private key and CSR:
# certtool --generate-privkey --outfile private.key
# certtool --generate-request --load-privkey private.key --outfile server.csr
Although this is not Recommended, you may make a self-signed certificate by running the following after running "certtool --generate-privkey":
# certtool --generate-self-signed --load-privkey private.key --outfile server.crt
More information on signing GNU TLS certificates can be found on Using GNU TLS to sign certificates
Java keytool
You may run the following commands in order to generate an RSA key as well as the certificate request. Since Java uses a Certificate Management Service (CMS) your RSA key as well as the your certificates will be stored in the Java Keystore file.
When using this method you should also read How to build Certificates for use with Java applications, as it covers the full process when using this tool.
# keytool -genkey -alias myalias -keyalg RSA -keysize 2048 -keystore my_keystore.ks
# keytool -certreq -keyalg RSA -alias myalias -file server.csr -keystore my_keystore.ks
After completing the First command you will be prompted for the following information, complete it because this is what information will be used in the Certificate Signing Request (CSR). The second command will spit out a file called server.csr' this is sent to the CA to be signed.
What is your first and last name? <<< User First and Last name if this certificate is a user certificate EX.(John Smith)
[Unknown]: www.server_name.com <<< Domain name of your server if this is for a web server or web application.
What is the name of your organizational unit?
[Unknown]: Open_Source <<< Spaces are OK, but some applications and CA do not like them
What is the name of your organization? (When possible don't use them or special characters[ . , * $ ' etc])
[Unknown]: Red_Hat
What is the name of your City or Locality?
[Unknown]: Raleigh
What is the name of your State or Province?
[Unknown]: North_Carolina
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=www.server_name.com, OU=Open_Source, O=Red_Hat, L=Raleigh, ST=North_Carolina, C=US correct?
[no]: yes
certutil
In order to generate a 2048-bit ASCII certificate request, please use the following example as a reference:
# certutil -R -d /database/directory/ -s "cn=myhost.example.com,dc=myorg,dc=com" -a -g 2048 -o /tmp/myhost.csr
If ASCII is not required, please use the following example as a reference:
# certutil -R -d /database/directory/ -s "cn=myhost.example.com,dc=myorg,dc=com" -g 2048 -o /tmp/myhost.csr
The options in the commands above are:
-R: Specifies that a certificate request file be generated (CSR)
-d: Specifies the database directory (certificate management system)
-s: Specifies the subject
-a: Specifies the use of ASCII format (plain text)
-g: Specifies the keysize
Although it is not Recommended, you may make a self-signed certificate by running the following after running certificate request command (ASCII or non ASCII) above.
# certutil -C -m 2345 -i mycert.req -o mycert.crt -c myissuer -d certdir
More information on an NSS CA can be found in Creating a Certificate Authority(CA) using NSS
Uses for Certificate Requests
There are several uses or application for SSL and PKI certificates. The following is a list to point you in the direction of configuration of other Red Hat tools that use SSL and may require that you request a certificate.
- How to build Certificates for use with Java applications
- How do I configure Apache to use SSL
- How do I configure Apache to support SSL mutual authentication
- How to configure Apache for FIPS 140-2
- Encrypt the connection between Apache mod_proxy / mod_cluster and JBoss EAP 4.x/5.x with SSL
- How to configure x509 Authentication with an LDAP Server using Apache (httpd)
Diagnostic Steps
Verification of requests created using OpenSSL can be done using commands like the following:
-
Verify the information within the CSR:
# openssl req -in server.csr -text -
Verify that the certificate and your private key match:
# diff <(openssl x509 -noout -in server.crt -modulus) <(openssl rsa -noout -in private.key -modulus -passin pass:PASSWORD)If this fails then run it as two separate commands and and manually verify the moduli:
# openssl x509 -noout -in server.crt -modulus # openssl rsa -noout -in private.key -modulus -
Remove the passphrase on an private key:
# openssl rsa -in key.pem -out keyout.pem -
check if your server.crt matches your private key (server.key) use the following command. It should return nothing if they match:
# diff <(openssl x509 -noout -modulus -in server.crt | openssl md5) <(openssl rsa -noout -modulus -in server.key -passin pass:password| openssl md5)
To test the connection to a server, refer to the following Knowledgebase Solution:
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.