OpenSSL

Who is CA?

CA stands for Certificate Authority is a company or organization that acts to validate the identities of entities (such as websites, email addresses, companies, individual person)

What is CSR

CSR stands for Certificate Signing Request. If you want to obtain a SSL Certificate from a CA, you must generate a Certificate Signing Request. A CSR consists mainly of a public key of a key pair, and some additional information. Both of these components are inserted into the certiticate when it is signed by CA.

When you generate a CSR from private key, you will be prompted to provide information regarding the certificate. This information is known as a Distinguished Name (DN). An important field is Common Name (CN), which should be exact Fully Qualified Domain Name (FQDN)

---
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Brooklyn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Brooklyn Company
Organizational Unit Name (eg, section) []:Technology Division
Common Name (e.g. server FQDN or YOUR name) []:examplebrooklyn.com
Email Address []:

You can also skip the prompt by parameter -subj when generate CSR

Generate and Private Key and CSR

openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

If your CA supports SHA-2, add the -sha256 option to sign CSR with SHA-2

The -nodes option specifies that they private key should not be encrypted with a pass phrase

If you already have a private key, you can use:

openssl req -key domain.key -new -out domain.csr

If you already have a private key as well as an old certificate

openssl x509 -in domain.crt -signkey domain.key -x509toreq -out domain.csr

The -x509toreq option specifies that you are using X509 Certificate to make a CSR