Generate certificate signing requests using OpenSSL

If you are going to request a CA to sign a certificate for you on a regular basis (i.e. certificates that expire after 1 or 2 years), then it is very useful to automate the process of creating a CSR and a private key with a configuration file.

Start by defining the root for the filenames:

FN=com.host.my
vim $FN.cnf

Now save the following information in the configuration file:

[ req ]
default_bits = 2048
default_md = sha1
encrypt_key = no
prompt = no
distinguished_name = dn

[ dn ]
C = GB
ST = My State or Province
L = My Locality
O = My Organization
OU = My Organization Unit
CN = my.host.com
emailAddress = admin@my.host.com

Next, to generate a new key and certificate signing request:

openssl req -new -config $FN.cnf -keyout $FN.key -out $FN.csr

Or, to create a certificate signing request for an existing key:

openssl req -new -config $FN.cnf -key $FN.key -out $FN.csr

(Optional) To consult the information in the certificate signing request, or to verify the key fingerprint:

openssl req -in $FN.csr -noout -text
openssl req -verify -in $FN.csr -key $FN.key -noout

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>