pki // generate a csr the right way

handy variable for the filename(s) to be written

short=...

the casual thing

be it for a CA, server or client certificate, it’s the same process for all

full-blown process

rsa

    openssl genrsa -out $short.key 2048
chmod 400 $short.key
# non-CA -- 2048
# CA     -- 4096

ec

openssl ecparam -list_curves | grep prime256v1
openssl ecparam -list_curves | grep secp384r1
openssl ecparam -list_curves | grep secp521r1

    openssl ecparam -name prime256v1 -genkey -noout -out $short.key
    openssl ecparam -name secp384r1 -genkey -noout -out $short.key
    openssl ecparam -name secp521r1 -genkey -noout -out $short.key

    chmod 400 $short.key

no need for a passphrase for client and server certs – consider using it for an offline CA

# -aes256

and finally generate the csr

openssl req -new -key $short.key -out $short.csr
# -sha256

privkey + csr at once

without -key will create an RSA 2048 privkey by default (even without an existing openssl.cnf:[req]) — so better add the -newkey option

openssl req -keyout $short.key -new -out $short.csr -noenc \
    -newkey ec:<(openssl ecparam -name prime256v1)
chmod 400 $short.key

# -newkey rsa:2048
# -newkey ec:<(openssl ecparam -name prime256v1)
# -newkey ec:<(openssl ecparam -name secp384r1)

incl. SAN

vi server_cert.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
C   = RU
emailAddress = your@email
L   = Kazan
O   = COMPANY-NAME
OU  = from-some-dept
CN  = some.domain.tld

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = some.domain.tld
DNS.2 = another.domain.tld

also those are optional but worth a look at

#basicConstraints = CA:TRUE
#keyUsage = critical, digitalSignature, cRLSign
#extendedKeyUsage = critical, keyCertSign

#basicConstraints = CA:FALSE
#keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
#extendedKeyUsage = critical, serverAuth

and proceed with an existing key

openssl req -new -out $short.csr -config server_cert.cnf \
    -key $short.key

or while generating a key at once

openssl req -new -out $short.csr -config server_cert.cnf \
    -keyout $short.key -noenc \
    -newkey ec:<(openssl ecparam -name secp384r1)

ready to go

check

openssl req -in $short.csr -noout -text

# -verify

resources

https://www.golinuxcloud.com/openssl-subject-alternative-name/

https://www.herongyang.com/EC-Cryptography/Curve-Supported-by-OpenSSL.html

https://docs.openssl.org/master/man1/openssl-ecparam/

passphrase

Is it possible to generate RSA key without pass phrase? https://serverfault.com/questions/366372/is-it-possible-to-generate-rsa-key-without-pass-phrase

Why openssl insist on requiring a passphrase on genrsa command? https://superuser.com/questions/407908/why-openssl-insist-on-requiring-a-passphrase-on-genrsa-command

Creating a .pem File for SSL Certificate Installations https://www.digicert.com/ssl-support/pem-ssl-creation.htm

browser support

https://security.stackexchange.com/questions/31772/what-elliptic-curves-are-supported-by-browsers?newreg=30878de9d90d45bf8f2c35b16dc164a4


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT