We all know how important is a digital certificate in the digital world. No buddy can imagine a secure world without the digital certificates. A digital certificates can be tagged to a user, computer, application, server, service, and can also be tagged to RF access cards. Most of you have seen SSL/TLS certificates while using the web. It’s one of the most common digital certificate used securing the communication between your web browser and a web server (website). Wait, digital certificates are not just used in securing the communication over the network, it also used in proving the identity of the associated entity. Digital certificates are not eternal, they expire after a fixed amount of time. It is required to renew the certificate to enjoy the service. The certificate renewal process begins with the generation of a certificate signing request and request a new certificate by submitting the Certificate Signing Request (CSR) to a Certificate Authority (CA). We have shown how to create a custom CSR on a Windows server in a separate post. In this post we are covering how to create a certificate signing request on a Linux server.
OpenSSL has made the process very simple. We just need OpenSSL on our Linux machine to create a certificate signing request on a Linux server. We have used Ubuntu Desktop v 20.4 LTA for the demonstration purpose. However, the procedure remain same for all other versions of Linux and Windows. Yes, you can follow this process to create a CSR on Windows OS as well if you have OpenSSL running on your Windows machine.
What Is OpenSSL?
“OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. OpenSSL is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.”By OpenSSL
We can utilize OpenSSL for various productive things. We can create cryptographic keys (private and public key pair), we can use it as a full-stack Certificate Authority CA to issue the requested certificates. Moreover, we can use this utility to generate self-signed and code signed certificates too.
What Is a Certificate Signing Request?
Certificate Signing Request is a piece of information encoded in base64 format. It has most of the details required to generate a X.509 digital certificate. Most likely, a certificate seeker who wants to request a new digital certificate or wants to renew the expired certificate for an application, server, or service would need to create a CSR on the server by supplying the information required to create a certificate. Then the CSR should be submitted to the Certificate Authority to sign a new certificate for the application, server, or service.
|Common Name (CN)||The Fully Qualified Domain Name (FQDN). e.g. *.example.com, www.example.com, and mail.example.com.|
|Organization (O)||The legal name of your organization. Do not abbreviate and include any suffixes, such as Inc., Corp., or LLC.|
|Organizational Unit (OU)||The division of your organization handling the certificate.|
|City/Locality (L)||The city where your organization is located. This shouldn’t be abbreviated.|
|State/County/Region (S)||The state/region where your organization is located. This shouldn’t be abbreviated.|
|Country (C)||The two-letter code for the country where your organization is located.|
|Email Address||An email address used to contact your organization.|
Table #!: CSR content
Prerequisites to Create a Certificate Signing Request on a Linux Server:
There are no or minima prerequisites are required. All you need to have OpenSSL installed on the server which comes in default installation in most of the Linux distributions.
The procedure we are showing up here will create a custom CSR that can be used to generate any type of digital certificate. Let’s see the procedure to create a Certificate Signing Certificate on a Linux server.
How to create a Certificate Signing Request on a Linux Server using OpenSSL?
- Verify the installation of OpenSSL on your Linux server:In fact, OpenSSL is included in default package list in most of the Linux distributions. You can verify the installation of OpenSSL with the command.
$ openssl version -a
- Install OpenSSL on Linux server:It is simple to install OpenSSL on any platform. Here are the commnands to install OpenSSL on three popular Linux Distributions. We are not going to install as in our demo we have OpenSSL readily running on our Ubuntu machine.
$ sudo apt install openssl [On Debian/Ubuntu]
$ sudo yum install openssl [On CentOS/RHEL]
$ sudo dnf install openssl [On Fedora]
- Create a Certificate Signing Request using OpenSSL:Private key is one of the must have entity to create a CSR. Creation of private key is included as a sub process in the same command. Just use this command to create a CSR for example.com domain.
$ openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
Let’s break down the command to understand.
openssl req: It denotes a new openssl request.
-new: New request
-newkey rsa:2048: It creates a 2048-bit RSA key
-nodes: It dosen’t encrypt the key which is not recommended. We are showing this just for demo.
-keyout: It takes the private key as an argument and send that key to the CSR file example.com.csr
-out: This writes the CSR to a file. example.com.csr in our demo.
- Input the required details:Enter all the details which it asks during the CSR creation process.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) :Bengaluru
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TheSecMaster
Organizational Unit Name (eg, section) :IT Security
Common Name (e.g. server FQDN or YOUR name) :example.com
Email Address :firstname.lastname@example.org
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password :12345
An optional company name :TheSecurityMaster
- End of CSR creation process:The command creates two files. (1) .key and (2) .cer. You have an idea what they might be.
You can submit the CSR file or content to the Certificate Authority with desigred certificate template, CA will issue the certificate and handover to you for deployment.
- Verify the CSR:It is always good to verify the created CSR before submitting to the CA. You can create a fresh CSR if in case of any wrong information. This would give a chance to fix the error which may come during the deployment. Use this command to verify the CSR.
$ openssl req -text -in example.com.csr -noout -verify
- New CSR created using the exsisted rivate Key:Private key is highly confidential entity. It should be kept in a secured place. If someone get access to the private key and its passphrase, he can create another CSR request using the same private key and sign his machine to add that to the trusted PKI network.
Command to create a new CSR using the existed private key.
$ openssl req -newkey rsa:2048 -keyout example.com.key -out mycsr.csr
- View the content of private key:Use this command to view the content of the private key.
$ cat example.com.key
That’s all. How simple it is, isn’t it? This is how you can create a certificate signing request on a Linux server. Please bear in mind that the procedure shown here will remain same as long as you are using OpenSSL to create a certificate signing request on any platform.