Generate CSR and sign using Linux CA - CentOS/Red Hat 6.x/7.x

This article will show you how to generate a CSR request and get it signed on a linux CA (CentOS/Red Hat). Follow this link if you have not already installed and configured CA server. We can run the below command to generate the CSR (Certificate Signing Request).

# mkdir /tmp/certs
# openssl req -new -nodes -sha256 -out certificate_request.csr -newkey rsa:2048 -keyout /tmp/certs/certificate_key.key -extensions v3_req

It will prompt you for the required fields, fill them in as required.

Output:

Generating a 2048 bit RSA private key
..........................................+++
................+++
writing new private key to '/tmp/certs/certificate_key.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:

Check the generated files

# ll /tmp/certs/
-rw-r--r--. 1 root root 1708 May 30 18:51 certificate_key.key
-rw-r--r--. 1 root root 1045 May 30 18:51 certificate_request.csr

Now that we are done with generating the CSR, let's continue with getting the CSR signed by CA server (Linux).

Copy over the .csr file over to the CA server in /etc/pki/CA/crl/ folder using scp/sftp

Now login to the CA server and run this command to get it signed.

# openssl x509 -req -days 730 -in /etc/pki/CA/crl/certificate_request.csr -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -out signed_certificate.crt -extfile /etc/pki/CA/openssl.cnf -extensions v3_req -sha256

Output:

Signature ok
subject=/C=GB/ST=Berks/L=RDG/O=Personal/OU=Test/CN=idm.off.local/emailAddress=admin@off.local
Getting CA Private Key
Enter pass phrase for private/ca.key:

Now you should get a .crt file which would be the RootCA signed cert which can be sent over to the requester. To verify that the cert and private key match and are valid, checkout this article.

# ls /etc/pki/CA/*.crt
/etc/pki/CA/signed_certificate.crt

That should be it and we have now got a signed cert from the CSR request.

Most Read Articles

Add/Detect a new disk in ...

Written By Farooq Mohammed Ahmed on Sunday, 11 January 2015 19:22
Add/Detect a new disk in ...

Upgrade Red Hat Satellite...

Written By Farooq Mohammed Ahmed on Friday, 22 April 2016 18:33
Upgrade Red Hat Satellite...

Cacti Install and Config ...

Written By Farooq Mohammed Ahmed on Monday, 30 November 2015 11:13
Cacti Install and Config ...

Using awk in Alias Comman...

Written By Farooq Mohammed Ahmed on Friday, 19 February 2016 14:22
Using awk in Alias Comman...

Replace SSL Certificates ...

Written By Farooq Mohammed Ahmed on Friday, 16 December 2016 08:05
Replace SSL Certificates ...