<< back

Generating a secure certificate request with OpenSSL

This is a little cheat sheet for personal use on how generate a secure certificate request using openssl.

The first step is creating a strong private key. At this moment the 2048bits is the recommended key lenght. Security experts are projecting that 2048 bits will be sufficient for commercial use until around the year 2030 (Reference1 and Reference2 pdf)

openssl genrsa -out ~/niwi.nz.key 2048

And the second step is create a proper csr (certificate request). I said proper because you should expliclitly specify the secure hash algorith to use for sign. In this case it should never be sha1 (Reference1 and Reference2)

The recommended hash algorithm today is sha256:

openssl req -new -sha256 -key ~/niwi.nz.key -out ~/niwi.nz.csr

Here a little guide to different fields that you will found when creating the CSR:

And the last step, you may verify your csr:

openssl req -noout -text -in ~/niwi.nz.csr

This is a possible striped output with relevant information:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=ES, ST=Madrid, L=Madrid, O=niwi.nz, OU=IT, CN=*.niwi.nz/emailAddress=niwi@niwi.nz
        [...]
    Signature Algorithm: sha256WithRSAEncryption
        [...]