Generating a Certificate Signing Request

When applying for a secure certificate you will need to generate a certificate signing request (CSR). If you are renewing an existing certificate you might want to keep your existing private key, if it’s a new certificate then you will probably need to create a new private key.

If you have previously registered a secure cert and nothing has changed since then, you can even re-use the existing CSR. The most important part of a CSR is the embedded public key, which must correspond to your private key, hence why it only really needs to change if you have changed private key.

What is in a Certificate Signing Request?
A CSR can contain the following information:

  • Domain name (or person’s name)
  • Address details
  • E-mail address
  • Public Key

When you send the CSR to a CA (certificate authority), they will use the information embedded within it to create you a full certificate, which has been signed by them. Some CAs will let you change the address information before generating the certificate.

You can decode a CSR with the following command:

openssl req -in old/secure.domain.com.csr -text -noout
Certificate Request:
   Data:
       Version: 0 (0x0)
       Subject: C=GB, ST=Hampshire, L=Aldershot, O=Fubra Ltd,
CN=secure.domain.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:c7:2b:e8:ad:c7:2a:da:f7:0f:e5:7d:23:f5:91:
                   49:a5:1d:ee:df:03:33:af:b5:ad:0b:dd:3e:af:e0:
                   95:67:b8:39:fb:2b:0e:c4:2b:37:d7:aa:f7:79:f8:
                   07:23:41:87:e8:72:88:8e:4b:c5:e6:cc:51:7b:9a:
                   9f:87:db:52:f8:4d:73:b2:79:9a:b9:18:17:fb:f8:
                   22:05:6b:af:25:81:e3:89:e0:ec:be:d1:19:93:bf:
                   06:31:20:01:e3:3d:80:7f:1e:c3:9c:89:4f:33:f1:
                   bd:9a:f6:58:d5:74:51:9a:43:3e:14:f8:ee:8e:8d:
                   7b:43:da:44:33:13:bd:0d:7f
               Exponent: 65537 (0x10001)
       Attributes:
           a0:00
   Signature Algorithm: md5WithRSAEncryption
       50:c7:69:cf:04:53:8b:de:64:dc:ba:e3:ac:3b:93:d1:94:2f:
       48:3b:15:27:c7:e5:1a:65:bc:a4:bd:cb:6a:fe:12:a3:b0:14:
       13:23:ff:3b:15:68:eb:48:c1:63:64:e0:de:8d:ce:34:93:8f:
       41:ef:97:e5:6f:aa:1d:01:db:2e:51:d6:68:8a:d3:f8:f4:70:
       87:17:a2:d1:c8:2d:79:61:22:b6:02:bd:31:50:67:e6:7e:fb:
       23:49:e3:58:61:2e:6b:4b:77:1e:76:3f:d8:2f:8e:44:6e:9e:
       e7:e5:54:f7:a7:90:a7:3c:1e:34:4a:31:22:72:77:fe:bc:7e:
       53:ce

Generating a new CSR and a new private key
To create a brand new private key and certificate signing request just run:

openssl req -new -nodes -keyout newprivate.key -out server.csr

Generating a new CSR with an existing private key

If you need to generate a certificate signing request from an existing private key, you can do so with the following command:

openssl req -new -key existingprivate.key -out server.csr

Using an existing CSR with an existing private key
You don’t need to run any new commands, just send your existing CSR to the certificate issuer.

Leave a Reply

Your email address will not be published. Required fields are marked *