Who is CA?
CA stands for Certificate Authority is a company or organization that acts to validate the identities of entities (such as websites, email addresses, companies, individual person)
What is CSR
CSR stands for Certificate Signing Request
. If you want to obtain a SSL Certificate from a CA, you must generate a Certificate Signing Request. A CSR consists mainly of a public key of a key pair, and some additional information. Both of these components are inserted into the certiticate when it is signed by CA.
When you generate a CSR from private key, you will be prompted to provide information regarding the certificate. This information is known as a Distinguished Name (DN). An important field is Common Name (CN), which should be exact Fully Qualified Domain Name (FQDN
)
---
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Brooklyn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Brooklyn Company
Organizational Unit Name (eg, section) []:Technology Division
Common Name (e.g. server FQDN or YOUR name) []:examplebrooklyn.com
Email Address []:
You can also skip the prompt by parameter -subj
when generate CSR
Generate and Private Key and CSR
openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
If your CA supports SHA-2, add the -sha256
option to sign CSR with SHA-2
The -nodes
option specifies that they private key should not be encrypted with a pass phrase
If you already have a private key, you can use:
openssl req -key domain.key -new -out domain.csr
If you already have a private key as well as an old certificate
openssl x509 -in domain.crt -signkey domain.key -x509toreq -out domain.csr
The -x509toreq
option specifies that you are using X509 Certificate to make a CSR