Table of Contents

01. How to Generate a CSR and Private Key in Linux



How to Generate a CSR and Private Key

Distinguish Name

Example Note
Country NameCJP
State or Province Name STokyo
Locality Name LShibuya-ku
Organization Name OExample securities, Inc.
Organizational Unit NameOUSystem Division
Common NameCNwww.example.com
192.168.0.1
test-server-1
Email AddressENULL normally null
A challenge password NULL normally null
An optional company name NULL normally null

Note : Please do not enter an email address, challenge password or an optional company name when generating the CSR.


Generate a CSR and Private Key

Maybe You don't mind SHA1 or SHA2.
If you create a SHA1 CSR, you can buy a SHA2 certificate in CA.

#SHA-2 (SHA-256)
openssl req -new -newkey rsa:2048 -nodes -out example.com.csr -keyout example.com.key -sha256 -subj "/C=JP/ST=Tokyo/L=Shibuya-ku/O=Example, Inc./OU=IT/CN=example.com"

#sha1
openssl req -new -newkey rsa:2048 -nodes -out example.com.csr -keyout example.com.key -sha1 -subj "/C=JP/ST=Tokyo/L=Shibuya-ku/O=Example, Inc./OU=IT/CN=example.com"


Change the password of Private Key

# mv privkey.pem privkey.pem.pass
# openssl rsa -in privkey.pem.pass -out privkey.pem


How to Generate a Private Key and Public Key(a self-signed certificate)

# mkdir example.com
# cd example.com
# openssl req -new -newkey rsa:2048 -nodes -out example.com.csr -keyout example.com.key -sha256 -subj "/C=JP/ST=Tokyo/L=Shibuya-ku/O=Example, Inc./CN=example.com"
# openssl x509 -days 3650 -req -signkey example.com.key -sha256 < example.com.csr > example.com.crt

check
# openssl x509 -text -noout -in example.com.crt

When you import the CSR file into the browser, the certificate error is gone




Verify

Verify your CSR

openssl req -text -in csr.pem

Example

# openssl req -text -in csr.pem  |head
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=HK, ST=Hong Kong, L=Hong Kong, O=EXAMPLE LIMITED, OU=IT, CN=www.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ab:7f:cb:72:02:31:a6:d8:cb:30:c0:22:aa:aa:
                    9f:63:d7:95:5f:de:eb:41:b8:58:17:91:44:aa:aa:
(abbr)
# openssl req -text -in csr.pem |grep Subject:
        Subject: C=HK, ST=Hong Kong, L=Hong Kong, O=EXAMPLE LIMITED, OU=IT, CN=www.example.com


Verify your Private Key

Check CSR's Modules and Private Key's Modules.

# openssl rsa -text -noout -in key.pem  |head
Private-Key: (2048 bit)
modulus:
    00:ab:7f:cb:72:02:31:a6:d8:cb:30:c0:22:aa:aa:
    9f:63:d7:95:5f:de:eb:41:b8:58:17:91:44:aa:aa:
(abbr)


Verify your Certificate

# openssl x509 -text -noout -in sha1.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            11:21:4a:82:fe:34:76:9b:c0:78:c0:30:f3:a4:e5:aa:aa:aa
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - G2
        Validity
            Not Before: Jan 22 12:37:05 2015 GMT
            Not After : Dec 29 14:59:59 2015 GMT
        Subject: OU=Domain Control Validated, CN=*.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ab:7f:cb:72:02:31:a6:d8:cb:30:c0:22:aa:aa:
                    9f:63:d7:95:5f:de:eb:41:b8:58:17:91:44:aa:aa:
(abbr)
# cat sha1.crt


Check Hash

# openssl rsa -in key.pem -modulus -noout | openssl md5
# openssl req -in csr.pem -modulus -noout | openssl md5
# openssl x509 -in server.crt -modulus -noout | openssl md5


Check the Server certificate AND the intermediate ca certificate

# openssl verify -CAfile INTERMEDIATE_CA_CRT SERVER_CRT
cert_file:OK
Example
# openssl verify -CAfile intermediate.crt server.crt




Check Certification After Installed

Check Certification

Check “Verify return code: 0 (ok)”

# echo -n |openssl s_client -connect google.com:443 -showcerts
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIHgzCCBmugAwIBAgIIT28RbC47NwgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
(abbr)
    Verify return code: 0 (ok)
---
DONE


Check SSL Certificate Expiration Date, Issuer, SHA1 or SHA2

# openssl s_client -connect aws.amazon.com:443 </dev/null 2>/dev/null|openssl x509 -text|grep -E "Not|Issuer:|sha"
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
            Not Before: Sep 16 00:00:00 2015 GMT
            Not After : Oct 11 23:59:59 2016 GMT
                  User Notice:
    Signature Algorithm: sha256WithRSAEncryption
#


Check your certificate with Web Tools






OpenSSL - How to use OpenSSL from the outside