Paul Maunders | Web log
Economics, Business, Telecoms, Tech and Gadgets
Home Subscribe in a reader

Generating a Certificate Signing Request

September 10th, 2008 by Paul Maunders

When applying for a secure certificate you will need to generate a certificate signing request (CSR). If you are renewing an existing certificate you might want to keep your existing private key, if it’s a new certificate then you will probably need to create a new private key.

If you have previously registered a secure cert and nothing has changed since then, you can even re-use the existing CSR. The most important part of a CSR is the embedded public key, which must correspond to your private key, hence why it only really needs to change if you have changed private key.

What is in a Certificate Signing Request?
A CSR can contain the following information:

  • Domain name (or person’s name)
  • Address details
  • E-mail address
  • Public Key

When you send the CSR to a CA (certificate authority), they will use the information embedded within it to create you a full certificate, which has been signed by them. Some CAs will let you change the address information before generating the certificate.

You can decode a CSR with the following command:

openssl req -in old/secure.domain.com.csr -text -noout
Certificate Request:
   Data:
       Version: 0 (0x0)
       Subject: C=GB, ST=Hampshire, L=Aldershot, O=Fubra Ltd,
CN=secure.domain.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:c7:2b:e8:ad:c7:2a:da:f7:0f:e5:7d:23:f5:91:
                   49:a5:1d:ee:df:03:33:af:b5:ad:0b:dd:3e:af:e0:
                   95:67:b8:39:fb:2b:0e:c4:2b:37:d7:aa:f7:79:f8:
                   07:23:41:87:e8:72:88:8e:4b:c5:e6:cc:51:7b:9a:
                   9f:87:db:52:f8:4d:73:b2:79:9a:b9:18:17:fb:f8:
                   22:05:6b:af:25:81:e3:89:e0:ec:be:d1:19:93:bf:
                   06:31:20:01:e3:3d:80:7f:1e:c3:9c:89:4f:33:f1:
                   bd:9a:f6:58:d5:74:51:9a:43:3e:14:f8:ee:8e:8d:
                   7b:43:da:44:33:13:bd:0d:7f
               Exponent: 65537 (0x10001)
       Attributes:
           a0:00
   Signature Algorithm: md5WithRSAEncryption
       50:c7:69:cf:04:53:8b:de:64:dc:ba:e3:ac:3b:93:d1:94:2f:
       48:3b:15:27:c7:e5:1a:65:bc:a4:bd:cb:6a:fe:12:a3:b0:14:
       13:23:ff:3b:15:68:eb:48:c1:63:64:e0:de:8d:ce:34:93:8f:
       41:ef:97:e5:6f:aa:1d:01:db:2e:51:d6:68:8a:d3:f8:f4:70:
       87:17:a2:d1:c8:2d:79:61:22:b6:02:bd:31:50:67:e6:7e:fb:
       23:49:e3:58:61:2e:6b:4b:77:1e:76:3f:d8:2f:8e:44:6e:9e:
       e7:e5:54:f7:a7:90:a7:3c:1e:34:4a:31:22:72:77:fe:bc:7e:
       53:ce

Generating a new CSR and a new private key
To create a brand new private key and certificate signing request just run:

openssl req -new -nodes -keyout newprivate.key -out server.csr

Generating a new CSR with an existing private key

If you need to generate a certificate signing request from an existing private key, you can do so with the following command:

openssl req -new -key existingprivate.key -out server.csr

Using an existing CSR with an existing private key
You don’t need to run any new commands, just send your existing CSR to the certificate issuer.

Posted in linux

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

 
© 2008 Paul Maunders | Web log
Wordpress Theme by Arcsin