Skip to content

Create PKI key and CSR request

Christopher Hopkins edited this page Apr 4, 2017 · 19 revisions

SSL/TLS is used to protect information users provide and get from websites. If you want to do this on your sites you will need to generate a PKI private key and Certificate Signing Request (CSR). The PKI private key will be kept on the webserver, and the CSR will be sent to a Certificate Authority (CA) to be signed. The following command will enable you to create both.

 $ openssl req -new -newkey rsa:4096 -nodes -keyout yourdomain.key -out yourdomain.csr

Openssl will prompt you for additional information, and after you have supplied the answers, then it will generate the key and CSR.

Create encrypted PKI key and CSR request

In case you are particularly security conscious, you can generate the private key so that it is encrypted. Here is the same command as above, but without the '-nodes' option.

 $ openssl req -new -newkey rsa:4096 -keyout yourdomain.key -out yourdomain.csr

Unencrypt an encrypted key

 $ openssl rsa -in yourdomain.key -out yourdomain.plaintext.key

Encrypt a plain text key

 $ openssl rsa -des3 -in yourdomain.plaintext.key -out yourdomain.cypher.key

Step-by-step key and CSR generation

First step, Generating the private key (omit the '-des3' if you don't want the private key encrypted)

 $ openssl genrsa -des3 -out yourdomain.key 4096

Second step, Generating the CSR

 $ openssl req -new -key yourdomain.key -out yourdomain.csr

Sign CSRs/generate certificates

Use the example command below (changing the names as needed)

 $ openssl x509 -req -days 365 -in yourdomain.csr -CA yourca.crt -CAkey yourca.key -CAcreateserial -out yourdomain.crt

View CSR details

 $ openssl req -text -in yourdomain.csr -noout

View private key details

 $ openssl rsa -text -in yourdomain.key -noout

Create a CSR from an existing certificate

 $ openssl x509 -x509toreq -in yourdomain.crt -out yourdomain.csr -signkey yourdomain.key

Examine Certificates

 $ openssl x509 -text -in yourdomain.crt -noout

To Create PKCS12 files (usually used with Windows/IIS)

 $ openssl pkcs12 -export -out domain.p12 -inkey domain.com.key -in ../certs/domain.com.crt -certfile ../certs/chain.crt 

To Create an ECC (Elliptic Curve Cryptography) certificate

A newer alternative to RSA-based certificates are ECC-based certificates. ECC-based certificates offer smaller keys with similar security to standard sized RSA-based keys. For example a 256 bit ECC key would provide the same security margin as a 3072 bit RSA key.

First, generate the ECC key:

 $ openssl ecparam -out yourdomain.key -name secp384r1 -genkey

Then, generate the CSR:

$ openssl req -new -key yourdomain.key -out yourdomain.csr

All the other steps are the same as for RSA-based certificates/keys

Available Curves

In my example above, I used secp384r1. I used this because it is well supported and has reasonable strength. I you would like to see what other curves are available, run the following command:

$ openssl ecparam -list_curves

Clone this wiki locally