Creating a Certificate Signing Request Using OpenSSL

Find out how to quickly create a Certificate Signing Request in Windows using OpenSSL. With minimum software needed.

Table of Contents

Creating .key

  1. Download OpenSSL directly with this link to sourceforge.net or from us using this link. You will be downloading version 1.1.1h_win32
  2. Open your downloads and extract the contents of the zip folder.
  3. Navigate inside the OpenSSL folder
  4. The top of File Explorer should show the current path. If OpenSSL was extracted to the downloads folder, it should say something close to “This PC > Downloads > OpenSSL”
    1. Type “cmd” in the folder path and hit the “Enter” key
  5. In the new command prompt window. It should have opened in the current working directory. Type the three commands.
    1. set OPENSSL_CONF=openssl.cnf
    2. openssl.exe
    3. genrsa -des3 -out privateKey.key 2048 (you can remove the -des3 option if you do not want to have a password for the key file)
  6. Create and confirm the password for your .key file.

If successful it should look like the below image.

.key file

The .key will be in the OpenSSL folder. 

Creating Certificate Signing Request (.csr file)

Method 1

  1. Type the below command
    1. req -new -key privateKey.key -out CACert.csr
    2. If you used the -des3 flag in last step, enter the password and then fill in the information requested.
    3. After entering your email address, you can fill in the ‘extra’ attributes but it is not required. You can hit the “enter” key twice to skip over this. 
  2. This will create the certificate signing request (.csr file)
  3. Below is what the commands should look like with no problems. 
Certificate Signing Request (CSR)

The .csr file will be in the OpenSSL folder. 

Within the SSL folder, you can right-click the created .csr file and open it with Notepad, and you will have the information needed for the Certificate Request.

Method 2

In the previous option, you needed to fill the options, it is possible to have a file with the answers filled out. 
 
				
					[ req ]
prompt=no
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = 
stateOrProvinceName =  
localityName = 
organizationName = 
commonName = 
[ req_ext ]
subjectAltName =  @alt_names
[alt_names]
DNS.1 = 
DNS.2 =
DNS.3 = 
				
			
  1. Copy the contents above to a Notepad and save it in the OpenSSL folder, give it the name generateCSR.bat
    1. Enter the two letter Country Code next to countryName. 
    2. Enter the full name of your state or province next to stateOrProvinceName.
    3. Enter the localityName, enter the name of your locality. 
    4. Specify the name of your organization, next to organizationName.
    5. Enter the name of your website or domain beside commonName. The FQDN of the web server (the host name), that is going to receive the certificate, is the Common Name. Do not include the following details while entering the Common Name:
      -> protocol (http:// or https://)
      -> port numbers or pathnames
    6. Enter the Subject Alternative Name (SAN) of your website next to DNS.1, DNS.2, etc. in the code one by one. You can have many SAN for a single certificate. You can add more SAN by adding DNS.4, DNS.5, and so on, at the end of the code
  2. Type the below command
    1. req -new -key privateKey.key -out CACert.csr -config generateCSR.bat
    2. If you used the -des3 flag in last step, enter the password. 
  3.  This will create the certificate signing request (.csr file)
  4. Below is what the commands should look like with no problems. 

The .csr file will be in the OpenSSL folder. 

Within the SSL folder, you can right-click the created .csr file and open it with Notepad, and you will have the information needed for the Certificate Request.

Summary

In this document we went though the steps to create the .key file which that we need to create the certificate signing request (.csr) file that a certificate authority can use to issue a .cer file

Tags

Contact Us