Generating a CSR
To see how this inclusion page fits in with similar ones, perhaps see one ofGenerate a Certificate Signing Request (CSR)
| IncludeCertGenerateCSR |
| In the following I used cscf.cs.uwaterloo.ca as my sample hostname. This perhaps caused some confusion since the hostname was included in the email address we formerly used. |
Certificate Signing Request (CSR) to send to the
Certificate Authority.
Generation of a Certificate Signing Request requires the ability
to read the private key, and so generally needs to be done as
superuser. (Though it's not technically necessary, as in my example
here).
The openssl command can be used. Here we generate a request
for a certificate for host cscf.cs.uwaterloo.ca.
- BLUE is text you type literally
- RED is text you must modify before typing
cscf.cs% openssl req -new -key ./new2048.key -out cscf.cs.uwaterloo.ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Waterloo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Waterloo
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:cscf.cs.uwaterloo.ca
Email Address []:username@domainname
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
cscf.cs% cat cscf.cs.uwaterloo.ca.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw
DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv
bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW
H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f
b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav
+Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md
lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc
GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy
Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG
9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS
uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw
COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A
ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl
UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh
T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q==
-----END CERTIFICATE REQUEST-----
cscf.cs%
The openssl command tends to be on a normal user path, and has
subcommands useful for examining and working with SSL certificates
and their components.
For example, you can use the openssl command to give you a
more readable (well, detailed) version of the CSR.
cscf.cs% openssl req -text < cscf.cs.uwaterloo.ca.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=cscf.cs.uwaterloo.ca/emailAddress=username@domainname
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:b6:de:fb:a9:ac:c4:e7:1e:03:2f:c0:40:d5:6c:
45:61:12:f8:e0:14:a9:20:e1:0a:81:c4:c8:5a:cf:
2e:1f:6f:ac:76:c4:69:a7:c4:ef:de:7f:82:d9:3f:
21:7f:45:3d:11:52:34:dc:40:a0:20:2f:26:9f:58:
6a:98:0e:8a:52:af:c5:ee:9e:ac:b4:1b:61:21:7a:
a3:0b:d8:46:af:f9:9f:32:19:0e:2f:06:3c:57:45:
a4:a3:fb:57:a2:35:7d:d5:49:84:0e:ac:cf:1d:d4:
0f:a6:99:b6:58:87:23:95:3a:63:24:4e:bb:50:22:
13:eb:89:3b:fd:8f:43:1d:94:1b:74:5d:53:67:e5:
ba:6d:db:d7:27:48:fe:21:cf:9d:59:87:5c:50:99:
5d:f6:4d:3c:72:0c:4f:e9:6a:2d:5c:4b:39:88:5e:
eb:f5:a3:2c:df:89:88:58:78:42:5c:19:aa:12:2c:
d6:4a:92:fd:28:a9:d2:64:3d:ba:bb:b6:5c:c6:71:
65:dd:6c:70:c9:58:f7:d8:e3:7f:25:44:5d:9b:25:
62:f7:a2:88:dd:46:36:4f:40:03:0a:6a:78:72:26:
99:f4:e2:5b:cd:8d:30:92:d6:4a:1f:11:2d:48:0f:
31:c1:1c:2c:d8:1f:c7:77:18:62:ca:53:f5:f0:a8:
df:3b
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
02:d9:30:8a:95:ad:90:7d:de:85:59:da:de:d5:83:b1:e4:e4:
9c:d8:3f:30:1f:11:65:6a:7e:99:fa:f0:bd:dd:cf:df:44:92:
b8:c3:4b:d7:9f:b3:fd:3b:28:e7:e7:ae:c5:71:41:fc:05:30:
ba:a8:01:e0:b9:c7:3d:6f:44:3d:68:e8:c5:d6:94:e1:d5:8d:
29:23:60:26:62:04:44:c4:e0:58:5a:70:08:ec:fc:07:29:77:
f7:7e:b4:9d:be:e9:74:15:81:82:fc:ab:7a:2c:e4:f2:5e:03:
b2:32:68:bf:ec:e2:f7:64:af:c8:a1:ea:8e:97:f4:a7:7c:e9:
61:3e:88:7e:9f:80:ae:ec:f0:f7:05:fc:de:ff:c3:29:f2:4f:
88:dc:57:71:5f:9a:5c:4c:c1:92:c0:94:12:5d:d1:18:81:ab:
c5:fb:c7:7f:ee:61:3d:3d:ac:75:26:f5:29:28:77:90:e3:65:
51:0d:0a:63:23:40:22:f2:4e:e0:ee:88:6b:43:97:69:fb:57:
3e:2b:7f:56:84:b5:8f:b9:a5:a5:de:16:75:35:ef:a9:ea:ea:
f7:04:67:e9:fb:7f:50:08:a2:6a:b9:21:4f:55:8b:c2:78:88:
13:c4:cf:fc:d2:5b:df:9d:57:b0:38:27:08:0b:d2:f7:75:ba:
59:79:f1:f5
-----BEGIN CERTIFICATE REQUEST-----
MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw
DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv
bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW
H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f
b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav
+Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md
lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc
GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy
Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG
9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS
uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw
COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A
ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl
UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh
T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q==
-----END CERTIFICATE REQUEST-----
I did the above just as an example. I generated a new key, and
will throw it and the CSR away without using them for anything
in production.
Notes
I have shown the inclusion of an email address. In fact, GlobalSign does not include the email address in the certificates they generate (that actually helps at renewal time) and so really including that email address in the CSR is sort of redundant. (When you submit the CSR in the next step, you are required to enter an email address; that is presumably the one GlobalSign will actually use). Furthermore, I have obfuscated the email address by representing it symbolically. The address you should use now is No permission to view CFPrivate.EMailAddressCscfCertsIf you want a certificate which can be used for several different names, such as virtual hosts on a web server, you will want to see Generate a CSR with Alternative Names. -- AdrianPepper - 10 May 2011
| IncludeAdrianReferers |
Referers
This topic IncludeCertGenerateCSR is referred to by...Topic revision: r12 - 2017-11-23 - AdrianPepper
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
- CF Web
- CF Web Home
- Changes
- Index
- Search
- Administration
- Communication
- Hardware
- HelpDeskGuide
- Infrastructure
- InternalProjects
- Linux
- MachineNotes
- Macintosh
- Management
- Networking
- Printing
- Research
- Security
- Software
- Solaris
- StaffStuff
- TaskGroups
- TermGoals
- Teaching
- UserSupport
- Vendors
- Windows
- XHier
- Other Webs
- My links
 |
|
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback