"openssl req -new" - Generate CSR from Key

This section describes the 'openssl req -new' command, which allows you to generate a CSR (Certificate Signing Request) from a given private/public key pair.

The "openssl req -new" command allows you to generate a CSR (Certificate Signing Request) from a given private/public key pair as shown in the this tutorial.

1. Verify the private/public key pair generated from the previous tutorial. It is an EC key pair.

herong$ more key.pem 

-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDBvstWA2SxQLDL5vd3CbTEQ6ezaYXYUEKlPqvEsOdMf34R+tpei+CH3
Q+kjlfO7PXCgBwYFK4EEACKhZANiAARAfLX67b5zUxzsjklqCDfrjWn6P3jpKfh2
nGwHv39C6IZnYkIi7rS+Nf3qS5jH1vlsoyeHNzFqmGA1Wh6FuXxHdctzKzBXmCWt
yWv35VxivIZJnBoT5GyIh+UF49HpUy8=
-----END EC PRIVATE KEY-----

2. Generate a CSR with the key pair and enter my name as my identity to be certified. No need to enter any 'extra' attributes.

herong$ openssl req -new -key key.pem -out csr.pem

You are about to be asked to enter information that will be 
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [AU]:ZZ
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:My City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Herong Yang
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. Look at the CSR file. It is written in PEM format.

herong$ more csr.pem 

-----BEGIN CERTIFICATE REQUEST-----
MIIBVjCB3gIBADBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEh
MB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMHYwEAYHKoZIzj0CAQYF
...
BzFFf+dvyQjciQ==
-----END CERTIFICATE REQUEST-----

4. Print out information from the CSR file. It contains my identity as the "Subject" and my public key. It is also signed with my private key.

herong$ openssl req -in csr.pem -text -noout

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = ZZ, L = My City, CN = Herong Yang
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:40:7c:b5:fa:ed:be:73:53:1c:ec:8e:49:6a:08:
                    37:eb:8d:69:fa:3f:78:e9:29:f8:76:9c:6c:07:bf:
                    ...
                    e5:05:e3:d1:e9:53:2f
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:65:02:31:00:a1:61:c3:cf:15:7b:58:34:2a:aa:b0:62:04:
         44:73:05:4e:ef:2e:a6:b9:1a:b6:91:ab:d8:4c:54:46:2f:8b:
         ...
         d1:df:95:92:12:57:2b:a2:30:f3:ea:bc:2e

My CSR file is ready to be sent to a CA (Certificate Authority) for signing.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

OpenSSL - Cryptography Toolkit

 What Is OpenSSL

 What Is "openssl" Command

 "openssl genpkey" - Generate Private Key

 "openssl genpkey -algorithm RSA" - RSA Private Key

 "openssl genpkey -algorithm EC" - EC Private Key

 "openssl req" - CSR (Certificate Signing Request)

"openssl req -new" - Generate CSR from Key

 "openssl req -newkey ..." - Generate Key and CSR

 "openssl req -x509" - Generate Self-Signed Certificate

 "openssl x509" - X.509 Certificate Command

 "openssl x509 -CA ..." - CA Signing Certificate

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB