• Projects & Working Groups
• Scientific Computing
  • Argus Authorization
  • Grid Certificates
    • OpenSSL Commands
    • RA procedures
    • Certificates and Cryptography
  • SLCS
  • Support and Downloads
  • Glossary
  • Contact
• E-Infrastructure for E-Science
• Cloud Computing
• Learning Infrastructure
• E-Identity
• ICT Law WG
• Mail WG
• Media WG
• Network WG
• Procurement WG
• Security WG
• Storage WG

How to create a CSR with OpenSSL

OpenSSL is available on many platforms (for Windows binaries e.g., see http://www.openssl.org/related/binaries.html") and can be used to generate a key pair and a CSR. The most convenient way, in our opinion, is to write a short OpenSSL configuration file which you feed to the openssl req command afterwards (but feel free to use an alternative procedure if you prefer).

Create a text file named myserver.cnf (where myserver is supposed to denote the name/FQDN of your server) with the following content:

--- snip ---
# OpenSSL configuration file for creating a CSR for a server certificate
# Adapt at least the FQDN and ORGNAME lines, and then run 
# openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr
# on the command line.

# the fully qualified server (or service) name
FQDN = foo.example.org

# the name of your organization
# (see also https://www.switch.ch/pki/participants.html)
ORGNAME = Example University

# subjectAltName entries: to add DNS aliases to the CSR, delete
# the '#' character in the ALTNAMES line, and change the subsequent
# 'DNS:' entries accordingly. Please note: all DNS names must
# resolve to the same IP address as the FQDN.
ALTNAMES = DNS:$FQDN   # , DNS:bar.example.org , DNS:www.foo.example.org

# --- no modifications required below ---
[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha1
distinguished_name = dn
req_extensions = req_ext

[ dn ]
C = CH
O = $ORGNAME
CN = $FQDN

[ req_ext ]
subjectAltName = $ALTNAMES
--- snip ---

The CN attribute is the only attribute which must always be specified in a CSR for a SWITCHpki server certificate. All other attributes are optional (as far as the CSR is concerned), but some of them will automatically be added to the issued certificate, if needed: C (countryName), ST (stateOrProvinceName), L (localityName) and O (organizationName). If desired, an OU (organizationalUnit) attribute can be included in the request.

The CN attribute must be set to the fully qualified domain name of your server - i.e. www.example.com, www.subdomain.example.com or similar. The ALTNAMES line can be used to specify subjectAltName entries if you prefer specifying them this way (otherwise, simply use the text field on the enrollment form). For backward compatibility, the old multi-CN format used by SCS/GlobalSign continues to be supported, but is considered deprecated.

Then, after having saved the myserver.cnf file, create the key pair and the CSR with the following command(s):

$ umask 0377
$ openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr

This will create a 2048-bit RSA key pair, store the private key in the file myserver.key and write the CSR to the file myserver.csr. The private key is stored with no passphrase, that's why the umask command is used to tighten file permissions first (on a non-UNIX system, use a directory with restrictive file ACLs or equivalent).

To examine your CSR, use the following command (prints subject, public key and requested extensions, if present):

$ openssl req -in myserver.csr -noout -text -nameopt sep_multiline