How to create a certificate request with openssl and sign CA


At this knowledge base, we'll create a Certificate Request (CSR) and we perform sign operation on our CA server. I'll explain all the steps  for Windows servers. 

Step 1:Download  Binaries  

  • Download OpenSSL  binaries
    • You can get it from the  Link. This link contains also Apache software for Windows. You can use only  Openssl from the source I added to the link.
  • Create your openssl.cnf file. I added a sample OpenSSL.cnf file which you can check it. There is some configuration that you need to change.
    • change "dir"  where you install  openssl.exe
    • "DNS.1" change with your web site  Domain name.
    • Also, you can check other configurations like bits size, password, key type, etc.
################################################################
# openssl example configuration file.
# This is mostly used for generation of certificate requests.
#################################################################
[ ca ]
default_ca= CA_default # The default ca section
#################################################################

[ CA_default ]
dir=C:\Seritifika\Openssl\SHA2_Islemler # Where everything is kept

certs=$dir # Where the issued certs are kept
crl_dir= $dir/crl # Where the issued crl are kept
database= $dir/index.txt # database index file
new_certs_dir= $dir/new_certs # default place for new certs
certificate=$dir/CA/OrbixCA # The CA certificate
serial= $dir/serial # The current serial number
crl= $dir/crl.pem # The current CRL
private_key= $dir/CA/OrbixCA.pk # The private key
RANDFILE= $dir/.rand # private random number file
default_days= 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md= md5 # which message digest to use
preserve= no # keep passed DN ordering

# A few different ways of specifying how closely the request should
# conform to the details of the CA

policy= policy_match

# For the CA policy

[policy_match]
countryName= match
stateOrProvinceName= match
organizationName= match
organizationalUnitName= optional
commonName= supplied
emailAddress= optional

# For the ‘anything’ policy
# At this point in time, you must list all acceptable ‘object’
# types

[ policy_anything ]
countryName = optional
stateOrProvinceName= optional
localityName= optional
organizationName = optional
organizationalUnitName = optional
commonName= supplied
emailAddress= optional

[ req ]
default_bits = 1024
default_keyfile= privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = v3_req

[ req_distinguished_name ]
countryName= Country Name (2 letter code)
countryName_min= 2
countryName_max = 2
stateOrProvinceName= State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg. YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName= An optional company name
[ v3_req ]

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = support.casesup.com.tr

Step 2:  Start  batch Script 

You can use this batch script to create a CSR and also a PEM file. Please change the directory path as you wish. As  you see  you need to change  "OPENSSL_CONF" and  the certificate PATH "C:\Seritifika\Openssl\SHA2_Islemler"

This script will create two files named Casesup.pem and  Casesup.csr. Please save both of them then you'll use them on your web sites. Certificate expires date sets  730 days and also we used  sha2.

You need to  type your  Web service  Domain  name, Country, State, Location, Organization  Name, Common name etc.

cd C:\Seritifika\Openssl\SHA2_Islemler
set OPENSSL_CONF=C:\Seritifika\Openssl\SHA2_Islemler\openssl.cnf
openssl.exe req -new -newkey rsa:4096 -nodes -keyout "C:\Seritifika\Openssl\SHA2_Islemler\created\Casesup.pem" -out "C:\Seritifika\Openssl\SHA2_Islemler\created\Casesup.csr" -days 730 -sha256

Step 3: Sign  your request with  Windows  CA

Connect  CA  server with a web browser.

https://<yourserver>/certsrv

Step 4: Send Certificate  Request

 

Step  5: Add CSR  to request

You need to add your  DNS  information to the attributes tab. For example ;

san:dns=casesup.com&dns=support.casesup.com

 

 

​​​​​​​Step 6: Connect  CA  server  and  approve the request

After you submit a certificate request then you can right-click the issued certificate under issued tab. Then export it to your desktop. And now you are ready to deploy the certificate to your web site. You have  3 files. CSR, PEM and signed CRT.

Tagged In:

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me