In order to get an SSL certificate and key (for use by an httpd server, for example), you must first create a Certificate Signing Request (CSR). The CSR can be sent to a commercial Certificate Authority (CA) which will then return an SSL certificate. Alternatively, you can be your own CA and use the CSR to create a self-signed certificate. Here is a typical openssl command and the resulting interactive session:
> openssl req -new -newkey rsa:2048 -keyout hostkey.pem -nodes -out hostcsr.pem Generating a 2048 bit RSA private key ........++++++ ........++++++ writing new private key to 'hostkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Illinois Locality Name (eg, city) :Urbana Organization Name (eg, company) [Internet Widgits Pty Ltd]:NCSA Organizational Unit Name (eg, section) :Security Research Division Common Name (eg, YOUR name) :Terry Fleury Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : >
First, an explanation of the command line options:
- -new - generate a new CSR
- -newkey rsa:2048 - generate a new private key of type RSA of length 1024 bytes. If you had previously generated a private RSA key (by using the “openssl genrsa” command, for example) and would like to use it rather than generating a new key, you can use the -key FILENAME option to read in your extisting key. Also, you can change the length of the key if you want. The minimum should be 1024. Many people like to use 2048 for a more secure key.
- -keyout hostkey.pem - write out the newly generated RSA private key to the file hostkey.pem. You will want to save this file since it is needed when you get the SSL certificate.
- -nodes - an optional parameter NOT to encrypt the private key. This is useful when your web server starts automatically, say at boot time. If your private key is encrypted, you would be required to enter a password everytime your web server restarted. You could also omit this option to create an encrypted key and then later remove the encryption from the key.
- -out hostcsr.pem - write out the CSR to the file hostcsr.pem. This is the file you will submit to your commercial SLL provider, or use when creating a self-signed certificate.
Next, an explanation of the interactive session. At each prompt, you will see brackets ([ ]) which may or may not contain text. That text is the default option for that prompt. If you simply hit the <ENTER> key at this point without typing any text, the text in the brackets will be used. If there is text in the brackets that you DON'T want (i.e. you want to erase the text for that prompt), type a period (.) and then hit <ENTER>. Note that you cannot have all fields be empty.
Note: If you are planning on using this CSR to create a self-signed certificate, then at the prompt “Common Name (eg, YOUR name) :”, enter the fully qualified domain name (FQDN) of your web server. This will prevent a “domain name mismatch” error box from appearing when clients connect to your web site.
At the end of the session, you are prompted for 'extra' attributes. I typically leave these blank (i.e. type <ENTER>) as they are ignored by OpenSSL's request signing utilities, but some CAs may want them.