When applying for a secure certificate you will need to generate a certificate signing request (CSR). If you are renewing an existing certificate you might want to keep your existing private key, if it’s a new certificate then you will probably need to create a new private key.
If you have previously registered a secure cert and nothing has changed since then, you can even re-use the existing CSR. The most important part of a CSR is the embedded public key, which must correspond to your private key, hence why it only really needs to change if you have changed private key.
What is in a Certificate Signing Request?
A CSR can contain the following information:
- Domain name (or person’s name)
- Address details
- E-mail address
- Public Key
When you send the CSR to a CA (certificate authority), they will use the information embedded within it to create you a full certificate, which has been signed by them. Some CAs will let you change the address information before generating the certificate.
You can decode a CSR with the following command:
openssl req -in old/secure.domain.com.csr -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=GB, ST=Hampshire, L=Aldershot, O=Fubra Ltd,
CN=secure.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c7:2b:e8:ad:c7:2a:da:f7:0f:e5:7d:23:f5:91:
49:a5:1d:ee:df:03:33:af:b5:ad:0b:dd:3e:af:e0:
95:67:b8:39:fb:2b:0e:c4:2b:37:d7:aa:f7:79:f8:
07:23:41:87:e8:72:88:8e:4b:c5:e6:cc:51:7b:9a:
9f:87:db:52:f8:4d:73:b2:79:9a:b9:18:17:fb:f8:
22:05:6b:af:25:81:e3:89:e0:ec:be:d1:19:93:bf:
06:31:20:01:e3:3d:80:7f:1e:c3:9c:89:4f:33:f1:
bd:9a:f6:58:d5:74:51:9a:43:3e:14:f8:ee:8e:8d:
7b:43:da:44:33:13:bd:0d:7f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
50:c7:69:cf:04:53:8b:de:64:dc:ba:e3:ac:3b:93:d1:94:2f:
48:3b:15:27:c7:e5:1a:65:bc:a4:bd:cb:6a:fe:12:a3:b0:14:
13:23:ff:3b:15:68:eb:48:c1:63:64:e0:de:8d:ce:34:93:8f:
41:ef:97:e5:6f:aa:1d:01:db:2e:51:d6:68:8a:d3:f8:f4:70:
87:17:a2:d1:c8:2d:79:61:22:b6:02:bd:31:50:67:e6:7e:fb:
23:49:e3:58:61:2e:6b:4b:77:1e:76:3f:d8:2f:8e:44:6e:9e:
e7:e5:54:f7:a7:90:a7:3c:1e:34:4a:31:22:72:77:fe:bc:7e:
53:ce
Generating a new CSR and a new private key
To create a brand new private key and certificate signing request just run:
openssl req -new -nodes -keyout newprivate.key -out server.csr
Generating a new CSR with an existing private key
If you need to generate a certificate signing request from an existing private key, you can do so with the following command:
openssl req -new -key existingprivate.key -out server.csr
Using an existing CSR with an existing private key
You don’t need to run any new commands, just send your existing CSR to the certificate issuer.