PKI Certificate Tutorials - Herong's Tutorial Examples

∟OpenSSL - Cryptography Toolkit

∟"openssl req -newkey ..." - Generate Key and CSR

This section describes the 'openssl req -newkey ...' command, which allows you to generate a private/public key pair and a CSR in a single step.

The "openssl req -newkey ..." command allows you to generate a CSR (Certificate Signing Request) without any given private/public key pair. It will generate a key pair based on the "-newkey ..." argument and use it for the new CSR.

1. Generate a RSA key pair and a CSR. Enter my name as my identity to be certified. No need to enter any 'extra' attributes.

herong$ openssl req -newkey rsa:2048 -keyout key.pem -out csr.pem

Generating a RSA private key
............................................................+++++
...........................+++++
writing new private key to 'key.pem'
Enter PEM pass phrase: TopSecret
Verifying - Enter PEM pass phrase: TopSecret

-----
You are about to be asked to enter information that will be 
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [AU]:ZZ
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:My City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Herong Yang
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

2. Look at the key file. It is encrypted and written in PEM format.

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIelnQ40spsvQCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECL92ZZS3+/EcBIIEyIHmhGFtBcDR
...
shb+R630/0UERuG51D5+PA==
-----END ENCRYPTED PRIVATE KEY-----

3. Look at the CSR file. It is written in PEM format.

herong$ more csr.pem 

-----BEGIN CERTIFICATE REQUEST-----
MIICnTCCAYUCAQAwWDELMAkGA1UEBhMCWloxEDAOBgNVBAcMB015IENpdHkxITAf
BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwLSGVyb25n
...
iQ==
-----END CERTIFICATE REQUEST-----

4. Print out information from the CSR file. It contains my identity as the "Subject" and my public key. It is also signed with my private key.

herong$ openssl req -in csr.pem -text -noout

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = ZZ, L = My City, CN = Herong Yang
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c0:1b:3d:15:f5:a4:cf:41:4c:9d:53:30:ed:1b:
                    fb:76:23:c4:c0:dc:dd:21:db:95:e4:a3:b1:ad:a5:
                    ...
                    a8:7f
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         75:86:4e:05:7c:d4:fd:ed:17:73:31:99:9d:77:73:b7:20:61:
         3d:fd:f4:4d:c1:68:0e:dd:3b:24:17:22:9d:42:c0:4e:0f:b9:
         ...
         09:f0:97:89

My CSR file is ready to be sent to a CA (Certificate Authority) for signing.

If you want to a key algorithm different than RSA, you can use the "-pkeyopt ..." to specify key parameters. For example, the following command generates an EC key and a CSR.

herong$ openssl req -newkey ec -pkeyopt ec_paramgen_curve:P-384 \
  -keyout key.pem -out csr.pem

Generating an EC private key
writing new private key to 'key.pem'
Enter PEM pass phrase: TopSecret
Verifying - Enter PEM pass phrase: TopSecret

-----
You are about to be asked to enter information that will be 
incorporated into your certificate request.
...

Print out information from the CSR file. It contains my identity as the "Subject" and my public key. It is also signed with my private key.

herong$ openssl req -in csr.pem -text -noout

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = ZZ, L = My City, CN = Herong Yang
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:76:66:7b:d2:f6:c3:64:35:23:e2:63:d7:d1:9a:
                    f8:e9:f5:7a:79:ac:82:0a:93:10:3d:f5:ce:b6:8b:
                    ...
                    c6:50:ea:f9:68:85:41
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:65:02:30:17:9d:31:30:ff:b4:54:88:61:0c:78:79:2f:07:
         9e:b4:b3:f0:3f:ef:fb:ab:97:20:02:0b:9f:08:12:5f:b7:78:
         ...
         cb:44:e0:e7:12:33:97:bb:5e:83:a8:8b:59

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

►OpenSSL - Cryptography Toolkit

 What Is OpenSSL

 What Is "openssl" Command

 "openssl genpkey" - Generate Private Key

 "openssl genpkey -algorithm RSA" - RSA Private Key

 "openssl genpkey -algorithm EC" - EC Private Key

 "openssl req" - CSR (Certificate Signing Request)

 "openssl req -new" - Generate CSR from Key

►"openssl req -newkey ..." - Generate Key and CSR

 "openssl req -x509" - Generate Self-Signed Certificate

 "openssl x509" - X.509 Certificate Command

 "openssl x509 -CA ..." - CA Signing Certificate

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

"openssl req -newkey ..." - Generate Key and CSR - Updated in 2024, by Herong Yang