This article will show you how to generate a CSR request and get it signed on a linux CA (CentOS/Red Hat). Follow this link if you have not already installed and configured CA server. We can run the below command to generate the CSR (Certificate Signing Request).
# mkdir /tmp/certs
# openssl req -new -nodes -sha256 -out certificate_request.csr -newkey rsa:2048 -keyout /tmp/certs/certificate_key.key -extensions v3_req
It will prompt you for the required fields, fill them in as required.
Output:
Generating a 2048 bit RSA private key
……………………………………+++
…………….+++
writing new private key to ‘/tmp/certs/certificate_key.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:
Check the generated files
# ll /tmp/certs/
-rw-r–r–. 1 root root 1708 May 30 18:51 certificate_key.key
-rw-r–r–. 1 root root 1045 May 30 18:51 certificate_request.csr
Now that we are done with generating the CSR, let’s continue with getting the CSR signed by CA server (Linux).
Copy over the .csr file over to the CA server in /etc/pki/CA/crl/ folder using scp/sftp
Now login to the CA server and run this command to get it signed.
# openssl x509 -req -days 730 -in /etc/pki/CA/crl/certificate_request.csr -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -out signed_certificate.crt -extfile /etc/pki/CA/openssl.cnf -extensions v3_req -sha256
Output:
Signature ok
subject=/C=GB/ST=Berks/L=RDG/O=Personal/OU=Test/CN=idm.off.local/emailAddress=admin@off.local
Getting CA Private Key
Enter pass phrase for private/ca.key:
Now you should get a .crt file which would be the RootCA signed cert which can be sent over to the requester. To verify that the cert and private key match and are valid, checkout this article.
# ls /etc/pki/CA/*.crt
/etc/pki/CA/signed_certificate.crt
That should be it and we have now got a signed cert from the CSR request.