Generate Certificate Request using OpenSSL

This article was written using chatGPT.

You must have OpenSSL installed in your machine in order to do this. See instructions for Windows.

To generate a Certificate Signing Request (CSR) using OpenSSL, follow these steps:

Step 1: Open a Terminal or Command Prompt

Open a terminal or command prompt on your server or computer where you want to generate the CSR.

Step 2: Run the OpenSSL Command

Use the openssl req command to generate the CSR. Here's the basic command syntax:

openssl req -new -newkey rsa:<key_size> -nodes -keyout <private_key_file>.key -out <csr_file>.csr

<key_size>: Replace this with the desired key size (e.g., 2048 for a 2048-bit key).

<private_key_file>.key: Choose a filename for your private key.

<csr_file>.csr: Choose a filename for your CSR and provide the path where it will be stored.

Step 3: Enter CSR Information

When you run the OpenSSL command, it will prompt you to enter information about your organization and domain. You will typically be asked for the following details:

Country Name (2 letter code): Enter the two-letter country code (e.g., US for the United States).

State or Province Name (full name): Enter the full name of your state or province.

Locality Name (e.g., city): Enter the name of your city.

Organization Name (e.g., company): Enter your organization's legal name.

Organizational Unit Name (e.g., section): Optionally, enter the name of your department or division within the organization.

Common Name (e.g., your domain): Enter the fully-qualified domain name (FQDN) for which you are requesting the certificate (e.g., www.example.com).

Email Address: Optionally, enter an email address associated with your organization.

A challenge password: Optionally, you can set a password for the CSR, but this is not commonly used.

An optional company name: Optionally, you can enter your company's legally registered name.

Alternatively, use this website to graphically fill out the information in Step 3 and generate the openssl command syntax.

Step 4: Generate the CSR and Private Key

After entering the information, OpenSSL will generate the CSR and private key files in the specified locations.

Step 5: Secure Your Private Key

Keep your private key (`<private_key_file>.key`) secure and do not share it. This key is used to secure your SSL/TLS communication. Note: OpenSSL will request a password creation for the private key when exporting the private key.

Step 6: Submit the CSR to a Certificate Authority (CA)

Submit the CSR (`<csr_file>.csr`) to a trusted Certificate Authority provider to obtain your SSL/TLS certificate. The CA will review your request and issue the certificate if the information in the CSR matches your domain and organization details.

That's it! You've generated a CSR using OpenSSL. You can now proceed to purchase an SSL/TLS certificate from a CA and provide them with your CSR for certificate issuance.

Uploading the signed Certificate:

Once the CSR is signed, the provider will send a link or a notification that the certificate is ready. Depending on the provider, the entire certificate path (chain of trust) may be provided (i.e., the root CA, the intermediate signing CA, and the certificate; see below). Identify the certificate by opening the file. Below is an example of a signed certificate. The certification path shows the intermediate signing CA and root CA along with the certificate. If the certification path is only showing the root and intermediate signing CA, that means this particular certificate is the intermediate signing CA certificate.

My personal preference is to bundle the certificate with the private key and upload the bundle to the server or machine needing the certificate.

The following OpenSSL syntax bundles the certificate with the private key:

openssl pkcs12 -export -out <bundle_name>.pfx -inkey <private_key_file>.key -in <certificate_name>.crt -certfile <chain_of_trust>.crt

<bundle_name>: the name of the PFX file that will be generated.

<certificate_name>: the name of the signed certificate [note: make sure OpenSSL can reach the location or directory of where this file is stored].

<chain_of_trust>: the name of the intermediate signing CA certificate [note: make sure OpenSSL can reach the location or directory of where this file is stored].

OpenSSL will request you provide a password to complete this process. This password will be required when uploading the PFX bundle.