Generating a CSR

To see how this inclusion page fits in with similar ones, perhaps see one of

Generate a Certificate Signing Request (CSR)

IncludeCertGenerateCSR
In the following I used cscf.cs.uwaterloo.ca as my sample hostname. This perhaps caused some confusion since the hostname was included in the email address we formerly used.
The key part of renewing a certificate is generating a Certificate Signing Request (CSR) to send to the Certificate Authority. Generation of a Certificate Signing Request requires the ability to read the private key, and so generally needs to be done as superuser. (Though it's not technically necessary, as in my example here). The openssl command can be used. Here we generate a request for a certificate for host cscf.cs.uwaterloo.ca.

  • BLUE is text you type literally
  • RED is text you must modify before typing

    cscf.cs% openssl req -new -key ./new2048.key -out cscf.cs.uwaterloo.ca.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CA
    State or Province Name (full name) [Some-State]:Ontario
    Locality Name (eg, city) []:Waterloo
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Waterloo
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:cscf.cs.uwaterloo.ca
    Email Address []:username@domainname
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    cscf.cs% cat cscf.cs.uwaterloo.ca.csr
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw
    DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv
    bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW
    H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f
    b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav
    +Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md
    lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc
    GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy
    Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG
    9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS
    uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw
    COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A
    ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl
    UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh
    T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q==
    -----END CERTIFICATE REQUEST-----
    cscf.cs% 
The openssl command tends to be on a normal user path, and has subcommands useful for examining and working with SSL certificates and their components.

For example, you can use the openssl command to give you a more readable (well, detailed) version of the CSR.

    cscf.cs% openssl req -text < cscf.cs.uwaterloo.ca.csr
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=cscf.cs.uwaterloo.ca/emailAddress=username@domainname
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (2048 bit)
                    Modulus (2048 bit):
                        00:b6:de:fb:a9:ac:c4:e7:1e:03:2f:c0:40:d5:6c:
                        45:61:12:f8:e0:14:a9:20:e1:0a:81:c4:c8:5a:cf:
                        2e:1f:6f:ac:76:c4:69:a7:c4:ef:de:7f:82:d9:3f:
                        21:7f:45:3d:11:52:34:dc:40:a0:20:2f:26:9f:58:
                        6a:98:0e:8a:52:af:c5:ee:9e:ac:b4:1b:61:21:7a:
                        a3:0b:d8:46:af:f9:9f:32:19:0e:2f:06:3c:57:45:
                        a4:a3:fb:57:a2:35:7d:d5:49:84:0e:ac:cf:1d:d4:
                        0f:a6:99:b6:58:87:23:95:3a:63:24:4e:bb:50:22:
                        13:eb:89:3b:fd:8f:43:1d:94:1b:74:5d:53:67:e5:
                        ba:6d:db:d7:27:48:fe:21:cf:9d:59:87:5c:50:99:
                        5d:f6:4d:3c:72:0c:4f:e9:6a:2d:5c:4b:39:88:5e:
                        eb:f5:a3:2c:df:89:88:58:78:42:5c:19:aa:12:2c:
                        d6:4a:92:fd:28:a9:d2:64:3d:ba:bb:b6:5c:c6:71:
                        65:dd:6c:70:c9:58:f7:d8:e3:7f:25:44:5d:9b:25:
                        62:f7:a2:88:dd:46:36:4f:40:03:0a:6a:78:72:26:
                        99:f4:e2:5b:cd:8d:30:92:d6:4a:1f:11:2d:48:0f:
                        31:c1:1c:2c:d8:1f:c7:77:18:62:ca:53:f5:f0:a8:
                        df:3b
                    Exponent: 65537 (0x10001)
            Attributes:
                a0:00
        Signature Algorithm: sha1WithRSAEncryption
            02:d9:30:8a:95:ad:90:7d:de:85:59:da:de:d5:83:b1:e4:e4:
            9c:d8:3f:30:1f:11:65:6a:7e:99:fa:f0:bd:dd:cf:df:44:92:
            b8:c3:4b:d7:9f:b3:fd:3b:28:e7:e7:ae:c5:71:41:fc:05:30:
            ba:a8:01:e0:b9:c7:3d:6f:44:3d:68:e8:c5:d6:94:e1:d5:8d:
            29:23:60:26:62:04:44:c4:e0:58:5a:70:08:ec:fc:07:29:77:
            f7:7e:b4:9d:be:e9:74:15:81:82:fc:ab:7a:2c:e4:f2:5e:03:
            b2:32:68:bf:ec:e2:f7:64:af:c8:a1:ea:8e:97:f4:a7:7c:e9:
            61:3e:88:7e:9f:80:ae:ec:f0:f7:05:fc:de:ff:c3:29:f2:4f:
            88:dc:57:71:5f:9a:5c:4c:c1:92:c0:94:12:5d:d1:18:81:ab:
            c5:fb:c7:7f:ee:61:3d:3d:ac:75:26:f5:29:28:77:90:e3:65:
            51:0d:0a:63:23:40:22:f2:4e:e0:ee:88:6b:43:97:69:fb:57:
            3e:2b:7f:56:84:b5:8f:b9:a5:a5:de:16:75:35:ef:a9:ea:ea:
            f7:04:67:e9:fb:7f:50:08:a2:6a:b9:21:4f:55:8b:c2:78:88:
            13:c4:cf:fc:d2:5b:df:9d:57:b0:38:27:08:0b:d2:f7:75:ba:
            59:79:f1:f5
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw
    DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv
    bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW
    H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f
    b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav
    +Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md
    lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc
    GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy
    Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG
    9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS
    uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw
    COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A
    ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl
    UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh
    T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q==
    -----END CERTIFICATE REQUEST-----

I did the above just as an example. I generated a new key, and will throw it and the CSR away without using them for anything in production.

Notes

I have shown the inclusion of an email address. In fact, GlobalSign does not include the email address in the certificates they generate (that actually helps at renewal time) and so really including that email address in the CSR is sort of redundant. (When you submit the CSR in the next step, you are required to enter an email address; that is presumably the one GlobalSign will actually use).

Furthermore, I have obfuscated the email address by representing it symbolically. The address you should use now is

No permission to view CFPrivate.EMailAddressCscfCerts


If you want a certificate which can be used for several different names, such as virtual hosts on a web server, you will want to see Generate a CSR with Alternative Names.

-- AdrianPepper - 10 May 2011


IncludeAdrianReferers

Referers

This topic IncludeCertGenerateCSR is referred to by...
Topic revision: r12 - 2017-11-23 - AdrianPepper
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback