OpenSSL – Tips & Tricks

Generate Certificate Signing Request (CSR)

Lets assume we are creating SSL certificate for www.techish.com. Create the server configuration file e.g. ~/myCA/www_techish_com.cnf with your favorite text editor. Add this example content:

#
# www_techish_com.cnf
#

[ req ]
prompt                  = no
distinguished_name      = server_distinguished_name

[ server_distinguished_name ]
commonName              =www.techish.com
stateOrProvinceName     = Melbourne
countryName             = AU
emailAddress            = ishtiaq@techish.com
organizationName        = TECHISH
organizationalUnitName  = Qualityunits

Be sure to change the values under server_distinguished_name especially the commonName value. The commonName value must match the host name, or CNAME for the host you wish to use the key for. If the commonName does not match the intended hostname, then host / certificate mismatch errors will appear in the client applications of clients attempting to access the server.

Once you’ve edited the file appropriately, save it and run following command to set an environment variable OPENSSL_CONF which forces the openssl tool to look for a configuration file in an alternative location

export OPENSSL_CONF=~/myCA/www_techish_com.cnf

To generate a certificate, and have it signed by a recognized Certificate Authority (CA), here are the instructions to generate CSR which you need to give to your service provider(e.g. Godaddy) for them to be able to provide you an SSL certificte.

Enter the following command to generate the private key, and certificate request:

openssl req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

Verify the signature with this command:

openssl req -in myreq.pem -noout -verify -key mykey.pem

and verify the information with this command:

openssl req -in myreq.pem -noout -text

Paste the content of the certificate request file into the CA’s signup form, and awaiting the certificate.

root@techish.com:~/myCA# cat myreq.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIC2TCCAcECAQAwgZMxHzAdBgNVBAMTFnd3dy5jZWxlYmZ1bm9ubGluZS5jb20x
DzANBgNVBAgTBlN1cnJleTELMAkGA1UEBhMCR0IxJzAlBgkqhkiG9w0BCQEWGGFk
bWluQGNlbGViZnVub25saW5lLmNvbTEXMBUGA1UEChMOZVRYIFRvdWNocG9pbnQx
EDAOBgNVBAsTB0dWSUxpdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDffPiEgw8kGNq6oIHecXieicmGH5EJkmeNLNpMpdd1xj9e9Hwl4Bq6d4n648QW
YwozLbhYPASwzHgJ0KWjNW7K58nQ/AEJpd+z1zPZzP5/hCsno8d20yqzFT/iXAaU
j1rRElnaHADpfG0GfQ1AIdsDr8qLHuIG5XGT8RzDUItBZkzlwg3RYdUJawqYoPqx
7kqpwvWJQEbYxuLdXIwz/GcU8eMyWMVltr9M8Pv5zLQFVBejKIimv3/hTFK2gmqh
LyeQLNWARht83VKWUcI54zKMGb4gMmNI9lmIQaQU0IB1psLeN0P2vRyIsb9ivfEU
40mKBWQzN3sc0gUOYYDOm5ZhAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEASSYm
rSSJaXZIs85RDA8tmskSVSLRYI042/y7nR7AdZjEfNmIv0TVhk5Ssv7SRZ9f3iUP
wajpeSD23TS+GsFxIQE2yoaYURNSe5hplBYadaEe0816hvA9tGvNW9BIHU85RPrG
gLNLeCyFADl0NS56OUJQNtcmoD1Fy6cBf2CHacTsLEcXJ4ZcTcN3/qoqIn9kgIQg
oko7lPR5C2VwTGcoyuYFbc22OqWjc9PNob/X/z9IA71UKw/z5y+kvU7BcgALC99d
2Nej4wLTbb50lIZvNHuPbgwYtkbHgCUUXPtBgqBUe/g5SfsrmPph0OcJRwhiRlsa
KqAvhBoJ+YucKAb/iw==
-----END CERTIFICATE REQUEST-----

Also, you should safeguard the key file (mykey.pem), as it will be required to use the certificate you receive from the CA

cp mykey.pem /etc/ssl/private/www_techish_com.key

Leave a Comment