We all know how important a digital certificate in the digital world. No buddy can imagine a secure world without digital certificates. A digital certificate can be tagged to a user, computer, application, server, or service, and can also be tagged to RF access cards. Most of you have seen SSL/TLS certificates while using the web. It’s one of the most common digital certificates used to secure the communication between your web browser and a web server (website). Wait, digital certificates are not just used in securing communication over the network, they are also used in proving the identity of the associated entity. Digital certificates are not eternal, they expire after a fixed amount of time. It is required to renew the certificate to enjoy the service. The certificate renewal process begins with the generation of a certificate signing request and request a new certificate by submitting the Certificate Signing Request (CSR) to a Certificate Authority (CA). We have shown how to create a custom CSR on a Windows server in a separate post. In this post, we are covering how to create a certificate signing request on a Linux server.
OpenSSL has made the process very simple. We just need OpenSSL on our Linux machine to create a certificate signing request on a Linux server. We have used Ubuntu Desktop v 20.4 LTA for demonstration purposes. However, the procedure remains the same for all other versions of Linux and Windows. Yes, you can follow this process to create a CSR on Windows OS as well if you have OpenSSL running on your Windows machine.
“OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. OpenSSL is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.”
By OpenSSL
We can utilize OpenSSL for various productive things. We can create cryptographic keys (private and public key pair), and we can use them as a full-stack Certificate Authority CA to issue the requested certificates. Moreover, we can use this utility to generate self-signed and code-signed certificates too.
Certificate Signing Request is a piece of information encoded in base64 format. It has most of the details required to generate an X.509 digital certificate. Most likely, a certificate seeker who wants to request a new digital certificate or wants to renew the expired certificate for an application, server, or service would need to create a CSR on the server by supplying the information required to create a certificate. Then the CSR should be submitted to the Certificate Authority to sign a new certificate for the application, server, or service.
Common Name (CN) | The Fully Qualified Domain Name (FQDN). e.g. *.example.com, www.example.com, and mail.example.com. |
Organization (O) | The legal name of your organization. Do not abbreviate and include any suffixes, such as Inc., Corp., or LLC. |
Organizational Unit (OU) | The division of your organization handling the certificate. |
City/Locality (L) | The city where your organization is located. This shouldn’t be abbreviated. |
State/County/Region (S) | The state/region where your organization is located. This shouldn’t be abbreviated. |
Country (C) | The two-letter code for the country where your organization is located. |
Email Address | An email address used to contact your organization. |
Table #!: CSR content
There are no or minimal prerequisites are required. All you need to have OpenSSL installed on the server which comes in default installation in most of the Linux distributions.
The procedure we are showing up here will create a custom CSR that can be used to generate any type of digital certificate. Let’s see the procedure to create a Certificate Signing Certificate on a Linux server.
In fact, OpenSSL is included in the default package list in most Linux distributions. You can verify the installation of OpenSSL with the command.
$ openssl version -a
It is simple to install OpenSSL on any platform. Here are the commands to install OpenSSL on three popular Linux Distributions. We are not going to install as in our demo we have OpenSSL readily running on our Ubuntu machine.
$ sudo apt install openssl [On Debian/Ubuntu]
$ sudo yum install openssl [On CentOS/RHEL]
$ sudo dnf install openssl [On Fedora]
The private key is one of the must-have entities to create a CSR. Creation of private key is included as a subprocess in the same command. Just use this command to create a CSR for example.com domain.
$ openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
Let’s break down the command to understand.
openssl req: It denotes a new openssl request.
-new: New request
-newkey rsa:2048: It creates a 2048-bit RSA key
-nodes: It dosen’t encrypt the key which is not recommended. We are showing this just for demo.
-keyout: It takes the private key as an argument and send that key to the CSR file example.com.csr
-out: This writes the CSR to a file. example.com.csr in our demo.
Enter all the details that it asks for during the CSR creation process.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:Bengaluru
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TheSecMaster
Organizational Unit Name (eg, section) []:IT Security
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:user@example.comPlease enter the following ‘extra’ attributesto be sent with your certificate request
A challenge password []:12345
An optional company name []:TheSecurityMaster
The command creates two files. (1) .key and (2) .cer. You have an idea what they might be.
You can submit the CSR file or content to the Certificate Authority with a designed certificate template, CA will issue the certificate and hand it over to you for deployment.
It is always good to verify the created CSR before submitting it to the CA. You can create a fresh CSR if in case of any wrong information. This would give a chance to fix the error which may come during the deployment. Use this command to verify the CSR.
$ openssl req -text -in example.com.csr -noout -verify
The private key is a highly confidential entity. It should be kept in a secure place. If someone gets access to the private key and its passphrase, he can create another CSR request using the same private key and sign his machine to add that to the trusted PKI network.
Command to create a new CSR using the existing private key.
$ openssl req -newkey rsa:2048 -keyout example.com.key -out mycsr.csr
Use this command to view the content of the private key.
$ cat example.com.key
That’s all. How simple it is, isn’t it? This is how you can create a certificate signing request on a Linux server. Please bear in mind that the procedure shown here will remain the same as long as you are using OpenSSL to create a certificate signing request on any platform.
You can submit the CSRs to your Certificate Authority with a desired certificate template and ask the CA team to issue the certificate.
Thanks for reading this article. Please read more such tutorials on thesecmaster.com.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.