How to Generate a CSR (Certificate Signing Request) in Linux?
Certificate Signing Request(CSR) is a block encrypted text which is given to Certificate Authority when applying for SSL Certificate. Generation of Certificate Signing Request(CSR) for Secure Sockets Layer(SSL) is common in Linux on various distributions. CSR is generated on the server, it stores information relating to the organization, domain name, country, a city which is to be included in the certificate. The CSR Certificate can be used on any website whenever it is necessary to encrypt communications. To generate an SSL certificate, CSR certificate has to be generated. To obtain a self-signed SSL Certificate, it is necessary to create CSR, after generating submit it to a certificate authority to acquire an SSL Certificate.
There are two kinds of Certificates:
- Self-Signed Certificate: Self-Signed Certificates are signed by the identity or its own private key instead of a trusted certificate authority. These certificates are valid for one year. To create an SSL Certificate, the local certificate authority will help who is in your environment which can be used in the organization. It is used for any locally deployed applications and FTP Servers etc.
- CA Authorized Certificate: These certificates are issued from the Trusted Third Party entity where they issue digital certificates. It is used on internet-facing servers for data encryption. The certificates have validity depending upon the plan taken. Domain Validation is required to issue CA Certificates.
Generate Certificate Signing Request (CSR):
To generate CSR on Debian OS then OpenSSL has to be opened first. OpenSSL is a tool used to generate private keys, create CSR, install SSL/TLS certificate and also identify certificate information. To use OpenSSL Tool to generate CSR it is necessary to install the tool into the Linux System first so to install execute the following command,
$ sudo apt install openssl
Verifying OpenSSL is correctly installed on the Linux System and is also configured properly, execute the command to view the details about OpenSSL and it’s version.
$ openssl version -a
Execute the command to generate CSR. After executing it’ll ask for some information regarding your domain, organization, country and city where you reside. It is necessary to provide the legal information as per the documents as the certificate is verified by CA to issue the certificate.
Options Description -new New request -newkey rsa:2048 To create a 2048-bit RSA key -nodes This is used as it doesn’t encrypt the key -keyout Specifying filename to send the key to the sample.com.csr -out Specifying file name to write to CSR
$ openssl req -new -newkey rsa:2048 -nodes -keyout sample.com.key -out sample.com.csr
Requested Information Description Country Name Two-letter abbreviation for the country you reside in State or Province Name Full name of the state from where your organization operates Locality Name Name of the city where the organization operates from Organization Name Name of Organization. If registered as an individual, enter the name of the person requesting the certificate. Organizational Unit Name Section or sector in which the organization operates Common Name The domain name to whom you’re purchasing an SSL certificate. It should be a Fully Qualified Domain Name
$ ls sample.com.csr
The Certificate should be kept confidential and not be shared with anyone. To view the contents of the file use cat utility command.
$ cat sample.com.csr
A key file is generated that contains a Private key which is associated with the public key, then it is extracted into another file. To generate a key for domain name MYCSR execute the following command. This key will generate an RSA Algorithm with a key length of 2048-bits. The key is stored in a file and to view the contents stored in PEM Format cat utility function is used
$ openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr
The Certificate should be kept confidential and not be shared with anyone. To view the contents of the key file use cat utility command. Using this command we can navigate to the file where the key is stored. To copy the contents of the private key file select and copy the entire content including “BEGIN RSA PRIVATE KEY” and “END RSA PRIVATE KEY”.
$ cat PRIVATEKEY.key
Verifying CSR File:
After the CSR is created, verify the details or the information provided during the generation of CSR Certificate before sending it to CA for signing or self-signing.
$ openssl req -text -in MYCSR.csr -noout -verify
Self-Signing Certificate Using Private Key:
Once CSR is generated, to get the certificate signed, CSR is provided to CA like Verisign, DigiCert etc. In case of test purposes or internal use-cases, there is an option to self-sign the CSR certificates which are in turn done by yourself rather than CA. To Self-Sign Certificate for your own private key execute OpenSSL command,
$ openssl x509 -in MYCSR.csr -out MYCSR.crt -req -signkey PRIVATEKEY.key -days 365
Now, Certificate Signing Request is generated and also private key for your certificate can also be generated to keep the certificate confidential. In the above command, -days is used to specify the validity for the certificate, here validity period for CSR. The output verifies the information provided during the generation of CSR, after which it’ll ask for the passphrase entered by the user while creating of RSA Private key the same is to be entered here in order to get the RSA Private key that was previously created.