PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
"openssl req -new" - Generate CSR from Key
This section describes the 'openssl req -new' command, which allows you to generate a CSR (Certificate Signing Request) from a given private/public key pair.
The "openssl req -new" command allows you to generate a CSR (Certificate Signing Request) from a given private/public key pair as shown in the this tutorial.
1. Verify the private/public key pair generated from the previous tutorial. It is an EC key pair.
herong$ more key.pem -----BEGIN EC PRIVATE KEY----- MIGkAgEBBDBvstWA2SxQLDL5vd3CbTEQ6ezaYXYUEKlPqvEsOdMf34R+tpei+CH3 Q+kjlfO7PXCgBwYFK4EEACKhZANiAARAfLX67b5zUxzsjklqCDfrjWn6P3jpKfh2 nGwHv39C6IZnYkIi7rS+Nf3qS5jH1vlsoyeHNzFqmGA1Wh6FuXxHdctzKzBXmCWt yWv35VxivIZJnBoT5GyIh+UF49HpUy8= -----END EC PRIVATE KEY-----
2. Generate a CSR with the key pair and enter my name as my identity to be certified. No need to enter any 'extra' attributes.
herong$ openssl req -new -key key.pem -out csr.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ZZ State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:My City Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:Herong Yang Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3. Look at the CSR file. It is written in PEM format.
herong$ more csr.pem -----BEGIN CERTIFICATE REQUEST----- MIIBVjCB3gIBADBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEh MB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMHYwEAYHKoZIzj0CAQYF ... BzFFf+dvyQjciQ== -----END CERTIFICATE REQUEST-----
4. Print out information from the CSR file. It contains my identity as the "Subject" and my public key. It is also signed with my private key.
herong$ openssl req -in csr.pem -text -noout Certificate Request: Data: Version: 1 (0x0) Subject: C = ZZ, L = My City, CN = Herong Yang Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:40:7c:b5:fa:ed:be:73:53:1c:ec:8e:49:6a:08: 37:eb:8d:69:fa:3f:78:e9:29:f8:76:9c:6c:07:bf: ... e5:05:e3:d1:e9:53:2f ASN1 OID: secp384r1 NIST CURVE: P-384 Attributes: a0:00 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a1:61:c3:cf:15:7b:58:34:2a:aa:b0:62:04: 44:73:05:4e:ef:2e:a6:b9:1a:b6:91:ab:d8:4c:54:46:2f:8b: ... d1:df:95:92:12:57:2b:a2:30:f3:ea:bc:2e
My CSR file is ready to be sent to a CA (Certificate Authority) for signing.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
►OpenSSL - Cryptography Toolkit
"openssl genpkey" - Generate Private Key
"openssl genpkey -algorithm RSA" - RSA Private Key
"openssl genpkey -algorithm EC" - EC Private Key
"openssl req" - CSR (Certificate Signing Request)
►"openssl req -new" - Generate CSR from Key
"openssl req -newkey ..." - Generate Key and CSR
"openssl req -x509" - Generate Self-Signed Certificate
"openssl x509" - X.509 Certificate Command
"openssl x509 -CA ..." - CA Signing Certificate
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File