How to generate and decode CSR

Create a certificate signing request and use it to generate an SSL certificate. I strongly suggest reading my two earlier blog posts about self-signed SSL certificates and private keys as these contain useful information. I will describe three different ways to generate a certificate signing request.

An interactive way to generate a simple SSL certificate using CSR

Generate private key

$ openssl genpkey -algorithm RSA -out example.org.key -pkeyopt rsa_keygen_bits:4096

Generate a certificate signing request. You will be asked interactively for each parameter.

$ openssl req -new -sha256 -key example.org.key -out example.org.csr

Verify the signature on the request.

$ openssl req -in example.org.csr -noout -verify
verify OK

Verify the subject line.

$ openssl req -in example.org.csr -noout -subject
subject=/C=PL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=example.org/emailAddress=admin@example.org

Generate a self-signed certificate.

$ openssl x509 -req -in example.org.csr -signkey example.org.key -out example.org.crt -days 365

Display certificate information.

$ openssl x509 -in example.org.crt  -noout -serial -subject -issuer -dates
serial=9D797BBD78B3AC55
subject= /C=PL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=example.org/emailAddress=admin@example.org
issuer= /C=PL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=example.org/emailAddress=admin@example.org
notBefore=Nov  5 21:17:56 2017 GMT
notAfter=Nov  5 21:17:56 2018 GMT

Non-interactive way to generate simple SSL certificate using CSR

Generate private key

$ openssl genpkey -algorithm RSA -out example.com.key -pkeyopt rsa_keygen_bits:4096

Generate a certificate signing request. You will be asked interactively for each parameter.

$ openssl req -new -sha256 -key example.com.key -out example.com.csr \
     -subj "/C=PL/ST=pomorskie/O=personal/L=Gdansk/CN=example.com/OU=IT/emailAddress=admin@example.com/"

Verify the signature on the request.

$ openssl req -in example.com.csr -noout -verify
verify OK

Verify the subject line.

$ openssl req -in example.com.csr -noout -subject
subject=/C=PL/ST=pomorskie/O=personal/L=Gdansk/CN=example.com/OU=IT/emailAddress=admin@example.com

Generate a self-signed certificate.

$ openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 365

Display certificate information.

$ openssl x509 -in example.com.crt  -noout -serial -subject -issuer -dates
serial=C00F7945258559D4
subject= /C=PL/ST=pomorskie/O=personal/L=Gdansk/CN=example.com/OU=IT/emailAddress=admin@example.com
issuer= /C=PL/ST=pomorskie/O=personal/L=Gdansk/CN=example.com/OU=IT/emailAddress=admin@example.com
notBefore=Nov  5 21:36:58 2017 GMT
notAfter=Nov  5 21:36:58 2018 GMT

An automated way to generate SSL certificate using CSR

Create a certificate configuration.

cat <<EOF | tee example.net.cfg
[ req ]
req_extensions     = req_ext
distinguished_name = req_distinguished_name
prompt             = no

[req_distinguished_name]
commonName=example.net

[req_ext]
subjectAltName   = @alt_names

[alt_names]
DNS.1  = example.net
DNS.2  = *.example.net
DNS.3  = *.devel.example.net
EOF

Generate private key

$ openssl genpkey -algorithm RSA -out example.net.key -pkeyopt rsa_keygen_bits:4096

Generate a certificate signing request. You will be asked interactively for each parameter.

$ openssl req -new -config example.net.cfg -extensions req_ext -sha256 -key example.net.key -out example.net.csr 

Verify the signature on the request.

$ openssl req -in example.net.csr -noout -verify
verify OK

Verify the subject line.

$ openssl req -in example.net.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=example.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:aa:dc:75:fd:41:d5:f9:80:3c:1e:d3:b6:bc:b3:
                    [...]
                    a9:42:a3
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:example.net, DNS:*.example.net, DNS:*.devel.example.net
    Signature Algorithm: sha256WithRSAEncryption
         04:17:0e:25:bc:43:9d:56:31:a5:36:16:bf:9d:3c:d4:78:81:
         [...]
         eb:52:11:5b:23:5a:00:9f

Generate a self-signed certificate.

$ openssl x509 -req -extfile example.net.cfg -extensions req_ext -in example.net.csr -signkey example.net.key -out example.net.crt -days 365

Display certificate information.

$ openssl x509 -in example.net.crt  -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15004733904815655982 (0xd03b85fce9cc0c2e)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=example.net
        Validity
            Not Before: Nov  5 23:13:22 2017 GMT
            Not After : Nov  5 23:13:22 2018 GMT
        Subject: CN=example.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:aa:dc:75:fd:41:d5:f9:80:3c:1e:d3:b6:bc:b3:
                    [...]
                    a9:42:a3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:example.net, DNS:*.example.net, DNS:*.devel.example.net
    Signature Algorithm: sha256WithRSAEncryption
         5f:2a:42:8e:d5:b5:a5:c8:22:21:ae:a4:bb:f7:1b:8c:5d:02:
         [...]
         d3:7e:bd:54:9c:61:c4:50

Additional information

• RFC-5280 – Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
• RFC-6818 – Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile