You are here

Creating a CSR

1. Creating the key pair and the CSR (Certificate Signing Request)
For the following instructions we use the example OpenSSL for creating a CSR (Windows binaries are also available). The easiest way is to write a short OpenSSL configuration file which will be fed to the openssl req command (feel free to use an alternative procedure, if you are already familiar with OpenSSL) :
 
[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn


[ dn ]
C = BE
O = OFFICIAL_NAME_OF_YOUR_ORGANIZATION
CN = FULLY_QUALIFIED_DOMAIN_NAME_OF_YOUR_SERVER
# for "O =", use the full legally defined name of your institution
# O = Universite Libre de Bruxelles
# O = Katholieke Universiteit Leuven
# O = Universite de Liege
# ... etc.
 
Save the command mentioned above as a text file; we advise you to use as file name 'myserver.cnf'
Tip 1: Replace myserver by the fully qualified domain name of your server, e.g. loba.belnet.be.
Tip 2: The CN attribute must be set to the fully qualified domain name of your server (e.g. myserver.example.com, server.subdomain.example.com or similar).
 
Beware:
1. Always use the official organization name in the O= line. For legal reasons, its spelling must exactly match the one indicated on the legal documents sent to BELNET during the registration process;
2. Be careful on the fields length limits as defined in the ASN.1 definition of X509 certificates (see RFC-2459);
3. You may use unicode characters as well (such as é, è, à, ù, ç).
Within the request, C, O and CN are mandatory attributes for all certificates. The following attributes are optional:

  • L: the name of the city (with its official spelling, i.e. "Leuven", "Liege"...)
  • OU: the name of the organizational unit (i.e. Computing Center)
  • emailAddress: (sometimes also specified as Email or E): the e-mail address which will be added to the subject of the certificate. 

Finally, create the key pair and the CSR (example of command under a Un*x system) :

$ umask 0377
$ openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr

This will create a 2048-bit RSA key pair, store the private key in the file myserver.key and write the CSR to the file myserver.csr. The private key is stored with no passphrase, that's why the umask command is used to tighten file permissions first (on a non-Un*x system, use a directory with restrictive file ACLs or equivalent).
2. Creating a certificate with multiple DNS names

To create a certificate which includes more than one DNS name, please follow the steps below. A certificate with multiple DNS names is requested when you run multiple services on the same machine and you want to secure each service. For example loba.belnet.be is also known as www.belnet.be and as certificates.belnet.be. Every alternative FQDN (fully qualified domain names) should be specified as an alternative subject in the CSR. Alternatively you can use a different certificate for each of the FQDN.
To create a certificate with more than one FQDN (fully qualified domain name), you have to create a specially formatted CSR using dedicated x509 extensions called SubjectAltName. So you can edit an OpenSSL's configuration file with your prefered ASCII text editor as follows:
 
[ req ]
default_bits = 2048       # 2048 is minimum key length...
prompt = no                    # if you want to type a lot of stuff, say Yes here
encrypt_key = no         # see question in our FAQ to help you...
default_md = sha256
distinguished_name = dn
req_extensions = v3_req

[ dn ]
C = BE
O = Reseau Telematique de la recherche Belnet
OU = Services
CN = test.belnet.be
L = Brussels

[ v3_req ]
subjectAltName = DNS:test2.belnet.be,DNS:test3.belnet.be

Tip: The principal FQDN should appear as a CN since only this one will be kept in the subject of the certificate. The other names will be transfered to the subjectAltName field in the generated certificate. This is different from the previous version of the certificate service (SCS). 
When you have finished this, then create the key pair and the CSR (example of command under a Un*x system) :

$ umask 0377
$ openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr

This will create a 2048-bit RSA key pair, store the private key in the file myserver.key and write the CSR to the file myserver.csr. The private key is stored with no passphrase, that's why the umask command is used to tighten file permissions first (on a non-Un*x system, use a directory with restrictive file ACLs or equivalent).