How to create a CSR with OpenSSL

OpenSSL is available on many platforms (for Windows binaries e.g., see http://www.openssl.org/related/binaries.html") and can be used to generate a key pair and a CSR. The most convenient way, in our opinion, is to write a short OpenSSL configuration file which you feed to the openssl req command afterwards (but feel free to use an alternative procedure if you prefer).

Create a text file named myserver.cnf (where myserver is supposed to denote the name/FQDN of your server) with the following content:

# OpenSSL configuration file for creating a CSR for a server certificate
# Adapt at least the FQDN and ORGNAME lines, and then run 
# openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr
# on the command line.

# the fully qualified server (or service) name
FQDN = foo.example.org

# the name of your organization
# (see also https://www.switch.ch/pki/participants/)
ORGNAME = Example University

# subjectAltName entries: to add DNS aliases to the CSR, delete
# the '#' character in the ALTNAMES line, and change the subsequent
# 'DNS:' entries accordingly. Please note: all DNS names must
# resolve to the same IP address as the FQDN.
ALTNAMES = DNS:$FQDN   # , DNS:bar.example.org , DNS:www.foo.example.org

# --- no modifications required below ---
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext

[ dn ]
C = CH
O = $ORGNAME
CN = $FQDN

[ req_ext ]
subjectAltName = $ALTNAMES

The CN attribute is the only attribute which must always be specified in a CSR for a SWITCHpki server certificate. All other attributes are optional (as far as the CSR is concerned), but some of them will automatically be added to the issued certificate, if needed: C (countryName), ST (stateOrProvinceName), L (localityName) and O (organizationName). If desired, an OU (organizationalUnit) attribute can be included in the request.

The CN attribute must be set to the fully qualified domain name of your server - i.e. www.example.com, www.subdomain.example.com or similar. The ALTNAMES line can be used to specify subjectAltName entries if you prefer specifying them this way (otherwise, simply use the text field on the enrollment form).

Then, after having saved the myserver.cnf file, create the key pair and the CSR with the following command(s):

$ touch myserver.key
$ chmod 600 myserver.key
$ openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr

This will create a 2048-bit RSA key pair, store the private key in the file myserver.key and write the CSR to the file myserver.csr. The private key is stored with no passphrase. Changing the permissions to 600 (i.e. -rw-------) restricts access to the (confidential) private key to the owner of the file (on a non-UNIX system, use a directory with restrictive file ACLs or equivalent).

The CSR can then be submitted through the SWITCHpki QuoVadis certificate request form.

To examine your CSR, use the following command (prints subject, public key and requested extensions, if present):

$ openssl req -in myserver.csr -noout -text -nameopt sep_multiline