Skip to content

Instantly share code, notes, and snippets.

@julien-f
Last active July 8, 2016 22:02
Show Gist options
  • Select an option

  • Save julien-f/725adcbbf9934779eafe to your computer and use it in GitHub Desktop.

Select an option

Save julien-f/725adcbbf9934779eafe to your computer and use it in GitHub Desktop.
CSR generation

CSR generation with OpenSSL

The following command lines avoid specifying parameters as much as possible hoping that your version of OpenSSL will make the best choices for the current time and that it will allow this recipe to stay up-to-date as long as possible.

Private key

Generate a 4096 bits long key using the RSA algorithm.

> openssl genrsa -out key.pem 4096

You may use this command instead if you want to encrypt the key (using the AES 256 bits algorithm with a password prompted for). It is recommended for security but you will have to manually enter the password each time a service using it (e.g. HTTP server) is started.

> openssl genrsa -out key.pem -aes256 4096

Certificate Signing Request

openssl req -new -key key.pem -out csr.pem

If you want to save the configuration, create a file config.ini:

[ req ]

attributes         = req_attributes
default_md         = sha512
distinguished_name = req_distinguished_name
prompt             = no
req_extensions     = req_extensions

[ req_distinguished_name ]

# Country name (2 letter code).
#C = AU

# State or province.
#ST = Some-State

# Locality.
#L = Locality Name (eg, city)

# Organization name.
#O = Internet Widgits Pty Ltd

# Organizational unit name (eg, section).
#OU =

# Common name (e.g. server FQDN or YOUR name).
CN = isonoe.net

# Email address.
#emailAddress = admin@domain.tld

# SET-ex3           = SET extension number 3

[ req_attributes ]

# Ignored by OpenSSL but some CAs might want them.
#challengePassword = A challenge password
#unstructuredName  = An optional company name

[ req_extensions ]

# This is not a CA certificate.
basicConstraints = CA:FALSE

# Add alternative names to the CSR.
subjectAltName = @req_alt_names

[ req_alt_names ]

# Must also contain the CN!
DNS.1 = $req_distinguished_name::CN

DNS.2 = *.isonoe.net

And use the following command:

openssl req -new -config config.ini -key key.pem -out csr.pem

[Optional] Self-signed certificate

openssl x509 -req -days 365 -in csr.pem -signkey key.pem -out cert.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment