HomeOpenSSL

Certificate Request

A certificate request (also CSR or certification signing request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.  For more information on Certificate Requests, visit the wikipedia article found here.

This documentation uses variables denoted with a $ followed by a keyword, all this emphasized with red text (i.e. $variable).  These variables should be replaced with appropriate values.  Suggested default values are denoted with a variable followed by an equal sign and a value (i.e $variable = value).

Create a Certificate Request (CSR)

  1. Change your working directory to /etc/pki/CA
    cd /etc/pki/CA
  2. Create a certificate request good for one year
    openssl req -config openssl.cnf -new -nodes -keyout private/$domain.key -out $domain.csr -days 365
    Country Name: $country
    State or Province Name: $state
    Locality Name: $city
    Organization Name: $company
    Organizational Unit Name: $department = Secure Web Server
    Common Name: $url
    Email Address: $email
    Challenge password: [ENTER]
    Optional company name: [ENTER]
  3. Restrict access to the private key so that only root and apache can read it
    chown root:apache private/$domain.key
    chmod 0440 private/$domain.key

Two files are created upon completion of these instructions.  $domain.key is generated and put into the private folder.  This is a private key file specfic to the domain that the certificate request was created for.  $domain.csr is generated and put into the CA folder.  This is a certificate request file and can be used to generate a certificate specific to the domain the certificate request was created for.

Sign a Certificate Request (CSR)

  1. Change your working directory to /etc/pki/CA
    cd /etc/pki/CA
  2. Sign a certificate request
    openssl ca -config openssl.cnf -policy policy_anything -out certs/$domain.crt -infiles $domain.csr
    Enter the ca.key password: $password
    Sign the certificate: y
    1 out of 1 certificate requests certified, commit: y
  3. Delete the certificate request
    rm -f $domain.csr

Two files are created upon completion of these instructions.  $domain.crt is created and put into the certs folder.  This is a certificate file specfic to the domain that the certificate request was created for.  $cert_number.pem is generated and put into the newcerts folder.  This is an X.509 file containing both the $domain.key and $domain.crt file information.