IncludeCertGenerateCSR < CF

CF Web>CertMaintenanceCollapsed>IncludeCertGenerateCSR (2017-11-23, AdrianPepper) (raw view)
---+ Generating a CSR
<!-- <pre>
    // IncludeCertGenerateCSR
    // 
    // (Aside: TWiki H1 style is not nice)
    // 
    // This page was primarily designed for inclusion where necessary,
    // but might work well stand-alone, especially with the careful use of
    // the STARTINCLUDE and STOPINCLUDE "variables" which allow a header
    // and footer, although not generalized creation of differences in
    // included and non-included forms.
    // 
    // Note the line after STARTINCLUDE.
    // The CFADRIANGADGETINCLUDE variable renders as a link which 
    // makes it easy for a reader to get to the inclusion to edit it,
    // although the rendered presentation does not seem fully intuitive yet.
    //
</pre>-->
To see how this inclusion page fits in with similar ones, perhaps see one of
   * CertMaintenanceCollapsed
   * CertificateUpdates
---
<!-- Bah!  You don't seem to be able to have multiple STOP/STARTINCLUDE -->
%STARTINCLUDE%
---++ Generate a Certificate Signing Request (CSR)
%CFADRIANGADGETINCLUDE%
%TABLE{tableborder="0" cellpadding="10" databg="#F0E9CB" }%
| \
In the following I used *cscf.cs.uwaterloo.ca* as my sample hostname. \
This perhaps caused some confusion since the hostname was included in \
the email address we formerly used. \
|
    The key part of renewing a certificate is generating a
    =Certificate Signing Request= (=CSR=) to send to the
    Certificate Authority.
    Generation of a Certificate Signing Request requires the ability
    to read the private key, and so generally needs to be done as
    superuser.  (Though it's not technically necessary,  as in my example
    here).
    The =openssl= command can be used.  Here we generate a request
    for a certificate for host =cscf.cs.uwaterloo.ca=.

   * %BLUE% *BLUE* %ENDCOLOR% is text you type literally
   * %RED% *RED* %ENDCOLOR% is text you must modify before typing

<pre>
    cscf.cs% %BLUE%openssl req -new -key %ENDCOLOR%%RED%./new2048.key%ENDCOLOR% -out %RED%cscf.cs.uwaterloo.ca.csr%ENDCOLOR%
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:%BLUE%CA%ENDCOLOR%
    State or Province Name (full name) [Some-State]:%BLUE%Ontario%ENDCOLOR%
    Locality Name (eg, city) []:%BLUE%Waterloo%ENDCOLOR%
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:%BLUE%University of Waterloo%ENDCOLOR%
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:%RED%cscf.cs.uwaterloo.ca%ENDCOLOR%
    Email Address []:%BLUE%username@domainname%ENDCOLOR%
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    cscf.cs% %BLUE%cat %ENDCOLOR%%RED%cscf.cs.uwaterloo.ca.csr%ENDCOLOR%
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw
    DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv
    bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW
    H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f
    b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav
    +Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md
    lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc
    GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy
    Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG
    9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS
    uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw
    COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A
    ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl
    UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh
    T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q==
    -----END CERTIFICATE REQUEST-----
    cscf.cs% 
</pre>
    The =openssl= command tends to be on a normal user path, and has
    subcommands useful for examining and working with SSL certificates
    and their components.

    For example, you can use the =openssl= command to give you a
    more readable (well, detailed) version of the CSR.

<pre>
    cscf.cs% %BLUE%openssl req -text < %ENDCOLOR%%RED%cscf.cs.uwaterloo.ca.csr%ENDCOLOR%
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: C=CA, ST=Ontario, L=Waterloo, O=University of Waterloo, CN=cscf.cs.uwaterloo.ca/emailAddress=username@domainname
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (2048 bit)
                    Modulus (2048 bit):
                        00:b6:de:fb:a9:ac:c4:e7:1e:03:2f:c0:40:d5:6c:
                        45:61:12:f8:e0:14:a9:20:e1:0a:81:c4:c8:5a:cf:
                        2e:1f:6f:ac:76:c4:69:a7:c4:ef:de:7f:82:d9:3f:
                        21:7f:45:3d:11:52:34:dc:40:a0:20:2f:26:9f:58:
                        6a:98:0e:8a:52:af:c5:ee:9e:ac:b4:1b:61:21:7a:
                        a3:0b:d8:46:af:f9:9f:32:19:0e:2f:06:3c:57:45:
                        a4:a3:fb:57:a2:35:7d:d5:49:84:0e:ac:cf:1d:d4:
                        0f:a6:99:b6:58:87:23:95:3a:63:24:4e:bb:50:22:
                        13:eb:89:3b:fd:8f:43:1d:94:1b:74:5d:53:67:e5:
                        ba:6d:db:d7:27:48:fe:21:cf:9d:59:87:5c:50:99:
                        5d:f6:4d:3c:72:0c:4f:e9:6a:2d:5c:4b:39:88:5e:
                        eb:f5:a3:2c:df:89:88:58:78:42:5c:19:aa:12:2c:
                        d6:4a:92:fd:28:a9:d2:64:3d:ba:bb:b6:5c:c6:71:
                        65:dd:6c:70:c9:58:f7:d8:e3:7f:25:44:5d:9b:25:
                        62:f7:a2:88:dd:46:36:4f:40:03:0a:6a:78:72:26:
                        99:f4:e2:5b:cd:8d:30:92:d6:4a:1f:11:2d:48:0f:
                        31:c1:1c:2c:d8:1f:c7:77:18:62:ca:53:f5:f0:a8:
                        df:3b
                    Exponent: 65537 (0x10001)
            Attributes:
                a0:00
        Signature Algorithm: sha1WithRSAEncryption
            02:d9:30:8a:95:ad:90:7d:de:85:59:da:de:d5:83:b1:e4:e4:
            9c:d8:3f:30:1f:11:65:6a:7e:99:fa:f0:bd:dd:cf:df:44:92:
            b8:c3:4b:d7:9f:b3:fd:3b:28:e7:e7:ae:c5:71:41:fc:05:30:
            ba:a8:01:e0:b9:c7:3d:6f:44:3d:68:e8:c5:d6:94:e1:d5:8d:
            29:23:60:26:62:04:44:c4:e0:58:5a:70:08:ec:fc:07:29:77:
            f7:7e:b4:9d:be:e9:74:15:81:82:fc:ab:7a:2c:e4:f2:5e:03:
            b2:32:68:bf:ec:e2:f7:64:af:c8:a1:ea:8e:97:f4:a7:7c:e9:
            61:3e:88:7e:9f:80:ae:ec:f0:f7:05:fc:de:ff:c3:29:f2:4f:
            88:dc:57:71:5f:9a:5c:4c:c1:92:c0:94:12:5d:d1:18:81:ab:
            c5:fb:c7:7f:ee:61:3d:3d:ac:75:26:f5:29:28:77:90:e3:65:
            51:0d:0a:63:23:40:22:f2:4e:e0:ee:88:6b:43:97:69:fb:57:
            3e:2b:7f:56:84:b5:8f:b9:a5:a5:de:16:75:35:ef:a9:ea:ea:
            f7:04:67:e9:fb:7f:50:08:a2:6a:b9:21:4f:55:8b:c2:78:88:
            13:c4:cf:fc:d2:5b:df:9d:57:b0:38:27:08:0b:d2:f7:75:ba:
            59:79:f1:f5
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw
    DwYDVQQHDAhXYXRlcmxvbzEfMB0GA1UECgwWVW5pdmVyc2l0eSBvZiBXYXRlcmxv
    bzEdMBsGA1UEAwwUY3NjZi5jcy51d2F0ZXJsb28uY2ExLjAsBgkqhkiG9w0BCQEW
    H2NzY2YtY2VydHNAY3NjZi5jcy51d2F0ZXJsb28uY2EwggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQC23vuprMTnHgMvwEDVbEVhEvjgFKkg4QqBxMhazy4f
    b6x2xGmnxO/ef4LZPyF/RT0RUjTcQKAgLyafWGqYDopSr8Xunqy0G2EheqML2Eav
    +Z8yGQ4vBjxXRaSj+1eiNX3VSYQOrM8d1A+mmbZYhyOVOmMkTrtQIhPriTv9j0Md
    lBt0XVNn5bpt29cnSP4hz51Zh1xQmV32TTxyDE/pai1cSzmIXuv1oyzfiYhYeEJc
    GaoSLNZKkv0oqdJkPbq7tlzGcWXdbHDJWPfY438lRF2bJWL3oojdRjZPQAMKanhy
    Jpn04lvNjTCS1kofES1IDzHBHCzYH8d3GGLKU/XwqN87AgMBAAGgADANBgkqhkiG
    9w0BAQUFAAOCAQEAAtkwipWtkH3ehVna3tWDseTknNg/MB8RZWp+mfrwvd3P30SS
    uMNL15+z/Tso5+euxXFB/AUwuqgB4LnHPW9EPWjoxdaU4dWNKSNgJmIERMTgWFpw
    COz8Byl39360nb7pdBWBgvyreizk8l4DsjJov+zi92SvyKHqjpf0p3zpYT6Ifp+A
    ruzw9wX83v/DKfJPiNxXcV+aXEzBksCUEl3RGIGrxfvHf+5hPT2sdSb1KSh3kONl
    UQ0KYyNAIvJO4O6Ia0OXaftXPit/VoS1j7mlpd4WdTXvqerq9wRn6ft/UAiiarkh
    T1WLwniIE8TP/NJb351XsDgnCAvS93W6WXnx9Q==
    -----END CERTIFICATE REQUEST-----
</pre>


    I did the above just as an example.  I generated a new key, and
    will throw it and the CSR away without using them for anything
    in production.

---+++ Notes

   I have shown the inclusion of an email address.  In fact,
   GlobalSign does not include the email address in the certificates
   they generate (that actually helps at renewal time) and so
   really including that email address in the CSR is sort of
   redundant.   (When you submit the CSR in the next step, you
   are required to enter an email address; that is presumably the
   one GlobalSign will actually use).

   Furthermore, I have obfuscated the email address by representing
   it symbolically.  The address you should use now is
%INCLUDE{"CFPrivate.EMailAddressCscfCerts" INDENT="4"}%

%BR%
   If you want a certificate which can be used for several different names,
   such as virtual hosts on a web server, you will want to see
   [[IncludeCertGenerateCSRAltNames][Generate a CSR with Alternative Names]].
   



%STOPINCLUDE%

-- Main.AdrianPepper - 10 May 2011

---

%INCLUDE{CF.IncludeAdrianReferers}%
Topic revision: r12 - 2017-11-23 - AdrianPepper
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
Other Webs
My links
- People
- CERAS
- WatForm
- Tetherless lab
- Ubuntu Main.HowTo
- eDocs
- RGG NE notes
- RGG
- CS infrastructure
- Grad images
Edit