Creating a Certificate Signing Request (CSR)
For a recent project we needed a signed certificate for an HTTPS server, and to import into the AWS Certificate Manager. This article is for you if you need to submit a CSR to an administrator or a signing authority (like DigiCert) who will sign your private key with their CA.
First you’ll need to create a private key, and then create your CSR from that, adding the necessary information.
As it turns out, there is a single OpenSSL command that will do all of that. The private key it creates is also suitable for import to the AWS Certificate Manager.
Start with the following information on hand:
- Country Code
- Company Name (no abbreviations)
- Fully Qualified Domain Name (FQDN), e.g. intown.biz, or www.intown.biz. You can only use one FDQN, but you can use a wildcard, e.g. *.intown.biz.
- an administrator email address
Issue the following Command:
openssl req -new -nodes -out intown-biz.key.pem -keyout intown-biz.csr.pem
Generating a 2048 bit RSA private key ..............+++ ...............+++ writing new private key to 'intown-biz.key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Maryland Locality Name (eg, city) :Bethesda Organization Name (eg, company) [Internet Widgits Pty Ltd]:The In Town Company Organizational Unit Name (eg, section) :consulting Common Name (e.g. server FQDN or YOUR name) :intown.biz Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Note that I skipped the optional parts, including the password.
This command is really doing three things:
- Creating a private key (and calling it intown-biz.key.pem)
- Prompting you for the information you need, for a signing certificate.
- Creating the signing certificate and calling it intown-biz.crt.pem)
Double check your work
Run this command to view the decoded value of your CSR.
openssl req -in intown-biz.crt.pem -noout -text
Submit the CSR
The CSR goes to your administrator, or a signing authority. The cool thing about the CSR is that once it is used to create your public key (or “certificate”), the key pair will be “signed” without having to hand over the actual private key to the signing authority.
Hold on to the private key! That’s the only copy you get. Make sure to follow your company’s policy for managing private keys.
When the signing request is processed, you should receive:
- The public certificate or “certificate body” which you can give out
- An intermediate CA or “Certificate Chain” which helps the server to locate the signing CA.
At this point you’re pretty much done with the CSR. With the pubic cert, private cert and intermediate ca in hand, you’re good to go!
If you’re using the AWS Certificate Manager, simply paste the text of these into the appropriate boxes.