pki // generate a csr the right way

the full-blown process

config preparation

handy variable for the filenames to be read and written

short=...

prepare the openssl config per cert

vi $short.cnf

[req]
distinguished_name  = req_distinguished_name
req_extensions      = req_ext
prompt              = no

[req_distinguished_name]
C             = RU
emailAddress  = EMAIL_HERE
L             = CITY_HERE
O             = ORG_HERE
OU            = ORG_BRANCH_HERE
CN            = PRIMARY_FQDN_HERE

[req_ext]
subjectAltName    = @alt_names
basicConstraints  = CA:FALSE
keyUsage          = critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage  = critical, serverAuth

[alt_names]
DNS.1 = PRIMARY_FQDN_HERE
DNS.2 = ...ANOTHER_FQDN...

here’s a handy script in case you need to load plenty of FQDNs in da SAN

n=1
for domain in `cat domains`; do
    echo DNS.$n = $domain
    ((n++))
done; unset domain

privkey generation

RSA

openssl genrsa -out $short.key 2048

recommended key sizes

# non-CA -- 2048
# CA     -- 4096

ECC

openssl ecparam -list_curves | grep prime256v1
openssl ecparam -list_curves | grep secp384r1
openssl ecparam -list_curves | grep secp521r1

openssl ecparam -name prime256v1 -genkey -noout -out $short.key
openssl ecparam -name secp384r1 -genkey -noout -out $short.key
openssl ecparam -name secp521r1 -genkey -noout -out $short.key

fix the perms

chmod 400 $short.key

no need for a passphrase for client and server certs – consider using it for an offline CA

# -aes256

csr generation

and finally generate the csr with the existing key

openssl req -new -out $short.csr -config $short.cnf -key $short.key -noenc -sha256

ready to go

check

openssl req -in $short.csr -noout -text

# -verify

resources

pki // generate a csr the right way

config preparation

privkey generation

csr generation

ready to go

resources

chain ordering

cnf examples with san

ecc

ecc browser support

passphrase