(return to home)

Generating a secure certificate request with OpenSSL

This is a little cheat sheet for personal use on how generate a secure certificate request using openssl.

The first step is creating a strong private key. At this moment the 2048bits is the recommended key lenght. Security experts are projecting that 2048 bits will be sufficient for commercial use until around the year 2030 (Reference1 and Reference2 pdf)

openssl genrsa -out ~/niwi.nz.key 2048

And the second step is create a proper csr (certificate request). I said proper because you should expliclitly specify the secure hash algorith to use for sign. In this case it should never be sha1 (Reference1 and Reference2)

The recommended hash algorithm today is sha256:

openssl req -new -sha256 -key ~/niwi.nz.key -out ~/niwi.nz.csr

Here a little guide to different fields that you will found when creating the CSR:

  • Common Name: If you intend to secure the URL https://www.niwi.nz, then your CSR's common name must be www.niwi.nz. If you plan on getting a wildcard certificate make sure to prefix your domain with an asterisk, example: *.niwi.nz.
  • Organization: The exact legal name of your organization. Example: niwi.nz.
  • Organization unit: The section of your organization. Example: IT.
  • City or Locality: The legal city of your organization. Example: Madrid.
  • State or Provice: The legal province of your organization. Example: Madrid.
  • Country: The legal country of your organizationin ISO format: ES. (Full list here)

And the last step, you may verify your csr:

openssl req -noout -text -in ~/niwi.nz.csr

This is a possible striped output with relevant information:

Certificate Request:
        Version: 0 (0x0)
        Subject: C=ES, ST=Madrid, L=Madrid, O=niwi.nz, OU=IT, CN=*.niwi.nz/emailAddress=niwi@niwi.nz
    Signature Algorithm: sha256WithRSAEncryption