CSR (Certificate Signing Request)

A Certificate Signing Request (CSR) is a block of encoded text that is given to a Certificate Authority (CA) when applying for an SSL certificate. It contains information about the entity requesting the certificate and the public key that will be included in the certificate. The CSR is digitally signed with the applicant's private key.

Generating a CSR

To generate a CSR using OpenSSL, you need a private key. If you don't have one already, you can generate it as part of the CSR creation process.

Step 1: Generate a Private Key

openssl genpkey -algorithm RSA -out private.key -aes256

This command generates a 2048-bit RSA private key encrypted with AES-256.

Step 2: Create a CSR

Using the private key, generate a CSR:

openssl req -new -key private.key -out request.csr

During the process, you will be prompted to enter several details:

• Country Name (2 letter code) [AU]: US

• State or Province Name (full name) [Some-State]: California

• Locality Name (eg, city) []: San Francisco

• Organization Name (eg, company) [Internet Widgits Pty Ltd]: Example Corp

• Organizational Unit Name (eg, section) []: IT Department

• Common Name (e.g., server FQDN or YOUR name) []: www.example.com

• Email Address []: admin@example.com

Additional optional fields may include:

• A challenge password []:

• An optional company name []:

Automating CSR Generation with a Configuration File

To streamline CSR generation, you can use an OpenSSL configuration file to predefine the required fields.

Example configuration file (openssl.cnf):

[ req ]
default_bits       = 2048
default_md         = sha256
default_keyfile    = private.key
distinguished_name = req_distinguished_name
prompt             = no
output_password    = secret

[ req_distinguished_name ]
C  = US
ST = California
L  = San Francisco
O  = Example Corp
OU = IT Department
CN = www.example.com
emailAddress = admin@example.com

Generate a CSR using the configuration file:

openssl req -new -key private.key -out request.csr -config openssl.cnf

Viewing and Verifying a CSR

To view the contents of a CSR, use the following command:

openssl req -in request.csr -noout -text

This command displays the CSR details in a human-readable format, allowing you to verify that all information is correct before submitting it to a CA.

Use Cases

Requesting SSL/TLS Certificates: CSRs are used when applying for SSL/TLS certificates from a CA. The CA uses the CSR to create the certificate and verifies the authenticity of the request.

Automating Certificate Requests: Using configuration files and scripts, organizations can automate the CSR generation process, ensuring consistency and reducing manual effort.

Internal Certificate Authorities: Organizations with their own internal CA can use CSRs to issue certificates for internal applications and services.

Conclusion

CSRs are a critical part of the SSL/TLS certificate issuance process. By understanding how to generate, view, and verify CSRs, administrators can ensure they provide the correct information to the CA and streamline the certificate request process. Utilizing configuration files can further simplify and automate CSR creation, making it an efficient process for large-scale deployments.