Using OpenSSL to generate local private keys for CSR (Certificate Signing Request)

Sometimes for certifying our service with a Certificate Authority we need to generate Certificate Signing Request (CSR) associated with our private keys. This CSR contains our product or service as well as our company information. We call this Distinguished Names. We can take help of commercial PKI(Public Key Infrastructure) products to generate these CSRs. But we do have a nice tool in almost all Linux Systems for this very work. This tool is simple but powerful enough to working as a certificate authority system. This is OpenSSL

In this blog post I am guiding you to necessary 3 commands to generate a CSR based on md5-RSA based key and CSR generation in OpenSSL.

To get a CSR you need to build your private key file first. This is totally yours and should not be compromised with a third party.

To generate this rsa based private key enter the command in the terminal,

openssl genrsa 1024 > your_key.key

Here 1024 is the length of the bits you need to encrypt with. You can use 2048, 3072, 4096 also.

Now you need to regenerate it with the specific private key format. for this enter the command,

openssl rsa -in your_key.key -out your_key.key

Now create the csr based on this key,

openssl req -utf8 -new –key  your_key.key -out your_csr.csr

Now keep your private key in a safe location and send this CSR to a CA for signing with. If you want to work as your own CA, you can generate the certificate by yourself. Though this is not recommended as you are not a trusted root CA and most popular browsers and clients will generate security warnings when users uses this certificates. The self-signing command is,

openssl x509 -in your_csr.csr -out your_crt.crt -req -signkey your_key.key -days 3650

That’s it now you can use this three files your_key.key, your_crt.crt and the root CA certificate (you don’t need if it is self signed) to maintain a certified product line whether it is SSL, TLS, digital sign or HSM (Hardware security modules).

To check the congruity of the signed certificate and your private key, you can use the following command,

a. openssl x509 -noout -text -in your_crt.crt

and take a look on the Modulus and Exponent section. Now use the following command,

b. openssl rsa -noout -text -in your_key.key

and take a look on the modulus and public exponent field.

If those from the certificate (a) and private key (b) matches, you have successfuylly completed the certificate generation process. If they does not match make sure you used the right hashing and encryption algorithm. For example if the private key is generated using md5 hashing with RSA, the CA is required to sign it using the same method.