The -x509toreq option specifies that you are using an X509 certificate to make a CSR. This command creates a new CSR ( domain.csr) based on an existing certificate ( domain.crt) and private key ( domain.key): It basically saves you the trouble of re-entering the CSR information, as it extracts that information from the existing certificate. Use this method if you want to renew an existing certificate but you or your CA do not have the original CSR for some reason. Generate a CSR from an Existing Certificate and Private Key The -new option indicates that a CSR is being generated.
The -key option specifies an existing private key ( domain.key) that will be used to generate a new CSR. This command creates a new CSR ( domain.csr) based on an existing private key ( domain.key): Use this method if you already have a private key that you would like to use to request a certificate from a CA. Generate a CSR from an Existing Private Key The -new option, which is not included here but implied, indicates that a CSR is being generated. The -nodes option specifies that the private key should not be encrypted with a pass phrase. The -newkey rsa:2048 option specifies that the key should be 2048-bit, generated using the RSA algorithm. -newkey rsa:2048 -nodes -keyout domain.key \Īnswer the CSR information prompt to complete the process.This command creates a 2048-bit private key ( domain.key) and a CSR ( domain.csr) from scratch: If your CA supports SHA-2, add the -sha256 option to sign the CSR with SHA-2. The CSR that is generated can be sent to a CA to request the issuance of a CA-signed SSL certificate. Use this method if you want to use HTTPS (HTTP over TLS) to secure your Apache HTTP or Nginx web server, and you want to use a Certificate Authority (CA) to issue the SSL certificate. Keep in mind that you may add the CSR information non-interactively with the -subj option, mentioned in the previous section. CSRs can be used to request SSL certificates from a certificate authority. This section covers OpenSSL commands that are related to generating CSRs (and private keys, if they do not already exist).
#Openssl command free#
Now that you understand CSRs, feel free to jump around to whichever section of this guide covers your OpenSSL needs.
#Openssl command code#
Here is an example of the option, using the same information displayed in the code block above: -subj "/C= US/ST= New York/L= Brooklyn/O= Example Brooklyn Company/CN= " If you want to non-interactively answer the CSR information prompt, you can do so by adding the -subj option to any OpenSSL commands that request CSR information. Organizational Unit Name (eg, section) : Technology DivisionĬommon Name (e.g.
Organization Name (eg, company) : Example Brooklyn Company State or Province Name (full name) : New York
Here is an example of what the CSR information prompt will look like:. If you are purchasing an SSL certificate from a certificate authority, it is often required that these additional fields, such as “Organization”, accurately reflect your organization’s details. The other items in a DN provide additional information about your business or organization. It is also possible to skip the interactive prompts when creating a CSR by passing the information via command line or from a file. An important field in the DN is the Common Name (CN), which should be the exact Fully Qualified Domain Name (FQDN) of the host that you intend to use the certificate with. This information is known as a Distinguished Name (DN). Whenever you generate a CSR, you will be prompted to provide information regarding the certificate. Both of these components are inserted into the certificate when it is signed. A CSR consists mainly of the public key of a key pair, and some additional information. If you would like to obtain an SSL certificate from a commercial certificate authority (CA), you must generate a certificate signing request (CSR). Most of the commands are one-liners that have been expanded to multiple lines (using the \ symbol) for clarityĪbout Certificate Signing Requests (CSRs).Jump to any section that is relevant to the task you are trying to complete (Hint: use the Contents menu or your browser’s Find function).Aside from the first section, this guide is in a cheat sheet format: a list of self-contained command line snippets.If you are not familiar with certificate signing requests (CSRs), read the first section.It does not cover all of the uses of OpenSSL. This includes OpenSSL examples for generating private keys, certificate signing requests, and certificate format conversion. This cheat sheet style guide provides a quick reference to OpenSSL commands that are useful in common, everyday scenarios. OpenSSL is a versatile command line tool that can be used for a large variety of tasks related to Public Key Infrastructure (PKI) and HTTPS (HTTP over TLS).
0 kommentar(er)
