How to Create a Certificate Signing Request on a Linux Server?

We all know how important a digital certificate in the digital world. No buddy can imagine a secure world without digital certificates. A digital certificate can be tagged to a user, computer, application, server, or service, and can also be tagged to RF access cards. Most of you have seen SSL/TLS certificates while using the web. It’s one of the most common digital certificates used to secure the communication between your web browser and a web server (website). Wait, digital certificates are not just used in securing communication over the network, they are also used in proving the identity of the associated entity. Digital certificates are not eternal, they expire after a fixed amount of time. It is required to renew the certificate to enjoy the service. The certificate renewal process begins with the generation of a certificate signing request and request a new certificate by submitting the Certificate Signing Request (CSR) to a Certificate Authority (CA). We have shown how to create a custom CSR on a Windows server in a separate post. In this post, we are covering how to create a certificate signing request on a Linux server.

OpenSSL has made the process very simple. We just need OpenSSL on our Linux machine to create a certificate signing request on a Linux server. We have used Ubuntu Desktop v 20.4 LTA for demonstration purposes. However, the procedure remains the same for all other versions of Linux and Windows. Yes, you can follow this process to create a CSR on Windows OS as well if you have OpenSSL running on your Windows machine.

What Is OpenSSL?

“OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. OpenSSL is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.”
By OpenSSL

We can utilize OpenSSL for various productive things. We can create cryptographic keys (private and public key pair), and we can use them as a full-stack Certificate Authority CA to issue the requested certificates. Moreover, we can use this utility to generate self-signed and code-signed certificates too.

What Is a Certificate Signing Request?

Certificate Signing Request is a piece of information encoded in base64 format. It has most of the details required to generate an X.509 digital certificate. Most likely, a certificate seeker who wants to request a new digital certificate or wants to renew the expired certificate for an application, server, or service would need to create a CSR on the server by supplying the information required to create a certificate. Then the CSR should be submitted to the Certificate Authority to sign a new certificate for the application, server, or service.

Table #!: CSR content

Prerequisites to Create a Certificate Signing Request on a Linux Server:

There are no or minimal prerequisites are required. All you need to have OpenSSL installed on the server which comes in default installation in most of the Linux distributions.

The procedure we are showing up here will create a custom CSR that can be used to generate any type of digital certificate. Let’s see the procedure to create a Certificate Signing Certificate on a Linux server.

How to create Certificate Signing Request on a Linux Server using OpenSSL?

Step 1. Verify the installation of OpenSSL on your Linux server:

In fact, OpenSSL is included in the default package list in most Linux distributions. You can verify the installation of OpenSSL with the command.

$ openssl version -a

Step 2. Install OpenSSL on the Linux server:

It is simple to install OpenSSL on any platform. Here are the commands to install OpenSSL on three popular Linux Distributions. We are not going to install as in our demo we have OpenSSL readily running on our Ubuntu machine.

$ sudo apt install openssl [On Debian/Ubuntu]
$ sudo yum install openssl [On CentOS/RHEL]
$ sudo dnf install openssl [On Fedora]

Step 3. Create a Certificate Signing Request using OpenSSL:

The private key is one of the must-have entities to create a CSR. Creation of private key is included as a subprocess in the same command. Just use this command to create a CSR for example.com domain.

$ openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

Let’s break down the command to understand.
openssl req: It denotes a new openssl request.
-new: New request
-newkey rsa:2048: It creates a 2048-bit RSA key
-nodes: It dosen’t encrypt the key which is not recommended. We are showing this just for demo.
-keyout: It takes the private key as an argument and send that key to the CSR file example.com.csr
-out: This writes the CSR to a file. example.com.csr in our demo.

Step 4. Input the required details:

Enter all the details that it asks for during the CSR creation process.

Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:Bengaluru
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TheSecMaster
Organizational Unit Name (eg, section) []:IT Security
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:user@example.comPlease enter the following ‘extra’ attributesto be sent with your certificate request
A challenge password []:12345
An optional company name []:TheSecurityMaster

Step 5. End of CSR creation process:

The command creates two files. (1) .key and (2) .cer. You have an idea what they might be.
You can submit the CSR file or content to the Certificate Authority with a designed certificate template, CA will issue the certificate and hand it over to you for deployment.

Step 6. Verify the CSR:

It is always good to verify the created CSR before submitting it to the CA. You can create a fresh CSR if in case of any wrong information. This would give a chance to fix the error which may come during the deployment. Use this command to verify the CSR.

$ openssl req -text -in example.com.csr -noout -verify

Step 7. New CSR created using the existing private Key:

The private key is a highly confidential entity. It should be kept in a secure place. If someone gets access to the private key and its passphrase, he can create another CSR request using the same private key and sign his machine to add that to the trusted PKI network.
Command to create a new CSR using the existing private key.
$ openssl req -newkey rsa:2048 -keyout example.com.key -out mycsr.csr

Step 8. View the content of the private key:

Use this command to view the content of the private key.

$ cat example.com.key

That’s all. How simple it is, isn’t it? This is how you can create a certificate signing request on a Linux server. Please bear in mind that the procedure shown here will remain the same as long as you are using OpenSSL to create a certificate signing request on any platform.

You can submit the CSRs to your Certificate Authority with a desired certificate template and ask the CA team to issue the certificate.

Thanks for reading this article. Please read more such tutorials on thesecmaster.com.