Generating a CSR
To see how this inclusion page fits in with similar ones, perhaps see one of
Generate a Certificate Signing Request (CSR)
| IncludeCertGenerateCSR |
| In the following I used cscf.cs.uwaterloo.ca as my sample hostname. This perhaps caused some confusion since the hostname was included in the email address we formerly used. |
Certificate Signing Request (CSR) to send to the
Certificate Authority.
Generation of a Certificate Signing Request requires the ability
to read the private key, and so generally needs to be done as
superuser. (Though it's not technically necessary, as in my example
here).
The openssl command can be used. Here we generate a request
for a certificate for host cscf.cs.uwaterloo.ca.
- BLUE is text you type literally
- RED is text you must modify before typing
cscf.cs% openssl req -new -key ./new2048.key -out cscf.cs.uwaterloo.ca.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:Ontario Locality Name (eg, city) []:Waterloo Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Waterloo Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:cscf.cs.uwaterloo.ca Email Address []:username@domainname Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: cscf.cs% cat cscf.cs.uwaterloo.ca.csr -----BEGIN CERTIFICATE REQUEST----- MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav +Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG 9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q== -----END CERTIFICATE REQUEST----- cscf.cs%The
openssl command tends to be on a normal user path, and has
subcommands useful for examining and working with SSL certificates
and their components.
For example, you can use the openssl command to give you a
more readable (well, detailed) version of the CSR.
cscf.cs% openssl req -text < cscf.cs.uwaterloo.ca.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=cscf.cs.uwaterloo.ca/emailAddress=username@domainname Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:b6:de:fb:a9:ac:c4:e7:1e:03:2f:c0:40:d5:6c: 45:61:12:f8:e0:14:a9:20:e1:0a:81:c4:c8:5a:cf: 2e:1f:6f:ac:76:c4:69:a7:c4:ef:de:7f:82:d9:3f: 21:7f:45:3d:11:52:34:dc:40:a0:20:2f:26:9f:58: 6a:98:0e:8a:52:af:c5:ee:9e:ac:b4:1b:61:21:7a: a3:0b:d8:46:af:f9:9f:32:19:0e:2f:06:3c:57:45: a4:a3:fb:57:a2:35:7d:d5:49:84:0e:ac:cf:1d:d4: 0f:a6:99:b6:58:87:23:95:3a:63:24:4e:bb:50:22: 13:eb:89:3b:fd:8f:43:1d:94:1b:74:5d:53:67:e5: ba:6d:db:d7:27:48:fe:21:cf:9d:59:87:5c:50:99: 5d:f6:4d:3c:72:0c:4f:e9:6a:2d:5c:4b:39:88:5e: eb:f5:a3:2c:df:89:88:58:78:42:5c:19:aa:12:2c: d6:4a:92:fd:28:a9:d2:64:3d:ba:bb:b6:5c:c6:71: 65:dd:6c:70:c9:58:f7:d8:e3:7f:25:44:5d:9b:25: 62:f7:a2:88:dd:46:36:4f:40:03:0a:6a:78:72:26: 99:f4:e2:5b:cd:8d:30:92:d6:4a:1f:11:2d:48:0f: 31:c1:1c:2c:d8:1f:c7:77:18:62:ca:53:f5:f0:a8: df:3b Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 02:d9:30:8a:95:ad:90:7d:de:85:59:da:de:d5:83:b1:e4:e4: 9c:d8:3f:30:1f:11:65:6a:7e:99:fa:f0:bd:dd:cf:df:44:92: b8:c3:4b:d7:9f:b3:fd:3b:28:e7:e7:ae:c5:71:41:fc:05:30: ba:a8:01:e0:b9:c7:3d:6f:44:3d:68:e8:c5:d6:94:e1:d5:8d: 29:23:60:26:62:04:44:c4:e0:58:5a:70:08:ec:fc:07:29:77: f7:7e:b4:9d:be:e9:74:15:81:82:fc:ab:7a:2c:e4:f2:5e:03: b2:32:68:bf:ec:e2:f7:64:af:c8:a1:ea:8e:97:f4:a7:7c:e9: 61:3e:88:7e:9f:80:ae:ec:f0:f7:05:fc:de:ff:c3:29:f2:4f: 88:dc:57:71:5f:9a:5c:4c:c1:92:c0:94:12:5d:d1:18:81:ab: c5:fb:c7:7f:ee:61:3d:3d:ac:75:26:f5:29:28:77:90:e3:65: 51:0d:0a:63:23:40:22:f2:4e:e0:ee:88:6b:43:97:69:fb:57: 3e:2b:7f:56:84:b5:8f:b9:a5:a5:de:16:75:35:ef:a9:ea:ea: f7:04:67:e9:fb:7f:50:08:a2:6a:b9:21:4f:55:8b:c2:78:88: 13:c4:cf:fc:d2:5b:df:9d:57:b0:38:27:08:0b:d2:f7:75:ba: 59:79:f1:f5 -----BEGIN CERTIFICATE REQUEST----- MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav +Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG 9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q== -----END CERTIFICATE REQUEST-----
I did the above just as an example. I generated a new key, and will throw it and the CSR away without using them for anything in production.
Notes
I have shown the inclusion of an email address. In fact, GlobalSign does not include the email address in the certificates they generate (that actually helps at renewal time) and so really including that email address in the CSR is sort of redundant. (When you submit the CSR in the next step, you are required to enter an email address; that is presumably the one GlobalSign will actually use).
Furthermore, I have obfuscated the email address by representing it symbolically. The address you should use now is No permission to view CFPrivate.EMailAddressCscfCerts
If you want a certificate which can be used for several different names,
such as virtual hosts on a web server, you will want to see
Generate a CSR with Alternative Names.
-- AdrianPepper - 10 May 2011
| IncludeAdrianReferers |
Referers
This topic IncludeCertGenerateCSR is referred to by...Topic revision: r12 - 2017-11-23 - AdrianPepper
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
- CF Web
- CF Web Home
- Changes
- Index
- Search
- Administration
- Communication
- Hardware
- HelpDeskGuide
- Infrastructure
- InternalProjects
- Linux
- MachineNotes
- Macintosh
- Management
- Networking
- Printing
- Research
- Security
- Software
- Solaris
- StaffStuff
- TaskGroups
- TermGoals
- Teaching
- UserSupport
- Vendors
- Windows
- XHier
- Other Webs
- My links
 |
|
Copyright © 2008-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback