Inguza Technology AB

technology, analysis and solutions

Create Certificate using OpenSSL

General

This article describes how to generate the information needed to request for a certificate for use in server applications like apache.

For easier use of the below commands, set the following variables and you can simply cut and paste the commands.

SNAME=some domain name
SREV=some revision information, like year

Key

The following commands generate a key and protects it by placing it in the /etc/ssl/private directory.

openssl genrsa -out /etc/ssl/private/$SNAME.key_$SREV 2048

There is no point in generating a key with a pass phrase as the pass phrase anyway have to be removed for services to be started when the server starts. It is not a good approach to require someone to manually start services after, for example, a power outage. 2048 is used here to reduce the latency during connection establishment (mainly on client side). 4096 is better from a security point of view but 2096 is good enough for an EV certificate so from speed point of view that is then used.

CSR

The following command generates the Certificate Signing Request.

openssl req -new -key /etc/ssl/private/$SNAME.key_$SREV -out /etc/ssl/private/$SNAME.csr_$SREV

Enter the appropriate information. If you have a previous CSR you can export the information using this command.

 openssl req -in /etc/ssl/private/somecsr.csr_xxx -text -noout | grep Subject

Some certificate issuers have specific requirements on what should be entered. Thawte do for example not want you to enter any email address, optional company name or challenge password.

Aquire certificate

Now cut and paste the CSR to the form on the certificate provider.

cat /etc/ssl/private/$SNAME.csr_$SREV

Follow the steps of the certificate provider and download the certificate.

IMPORTANT! Also make sure you download the full certificate chain. Without this it is impossible for the client to verify the validity of the certificate unless it has been verified directly a root certificate and that is not very common.

References

Common used commands

Thawte instructions

2048 or 4096 key size article