Create A Certificate Signing Request

From Postmaster Administration Wiki
Jump to: navigation, search

TLS and SSL require the use of either commercial or self-signed server certificates by which a server will identify themselves and establish encrypted communications. Commercial certificates are highly recommended for online stores using HTTPS or for applications and services that deal with the public, such as ISP mail services SMTP, POP, IMAP, and web mail using HTTPS. Self-signed certificates are sufficient for development, testing, and/or private in-house applications and services. In either case, an administrator will require a CSR for each host machine to be signed by a certificate authority (CA).

There are three steps involved: generate a private key if needed, generate a CSR specifying the host name for the common name (CN) field and other salient details, then submitting the CSR for signing.

The Common Name (CN) is the most important field in a certificate. It must contain the DNS host name of the server. So if your inbound mail server is mx.example.net, then your certificate's CN must also be mx.example.net. Otherwise, the public will see warnings about invalid and/or mismatched certificates to host names.

Generate a private key.

$ openssl genrsa -out host.example.com.key 2048
$ chmod u=r,go= host.example.com.key

The generated private key file, host.example.com.key, uses 2048 bit encryption. It is possible to specify other values for stronger or weaker encryption, based on powers of 2 (1024, 2048, 4096). Higher values are better at  the cost of slower encryption / decryption. Generally its is a good practise to have a private key for each host machine, since the private key will be required by all the applications on the host supporting TLS. In the event a machine is compromised, only the private key for that machine can be compromised.

Generate CSR for host machine.

$ openssl req -new -key host.example.com.key -out host.example.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []: CA
State or Province Name (full name) []: Quebec
Locality Name (eg, city) []: Montreal
Organization Name (eg, company) []: Example Ltd.
Organizational Unit Name (eg, section) []: IT Dept.
Common Name (eg, fully qualified host name) []: host.example.com
Email Address []: support@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 
An optional company name []: 
$

A file called host.example.com.csr will be generated incorporating the data entered.

For server certificates, which are used by applications and services operating on a host machine, it is best not to supply a certificate password; otherwise when a host machine reboots, TLS based services that automatically start will pause and prompt for a password.

The actual content of the CSR file is Base64 encoded, but can be viewed with:

View CSR content.

$ openssl req -text -noout -in host.example.com.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CA, ST=Quebec, L=Montreal, O=Example Ltd., OU=IT Dept.,
                 CN=host.example.com/emailAddress=support@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c1:fa:c6:4d:8f:45:ce:b7:a8:ae:ac:b8:e8:72:
                    93:04:93:fb:30:80:c6:de:5d:b2:cc:89:85:e7:23:
                    35:af:d2:40:47:e6:59:45:3e:46:09:97:4a:43:ea:
                    0d:ac:8a:52:f5:6e:3b:07:8e:f4:c0:99:77:df:d7:
                    51:09:5a:6f:ef:c1:6f:14:47:32:b0:bc:88:b6:76:
                    58:0e:13:48:5d:53:4f:00:da:c9:2b:7f:4b:60:39:
                    18:ea:00:1f:59:96:7c:43:2b:25:71:09:3a:68:d7:
                    9f:b9:b5:11:a1:b8:8b:30:8b:fc:56:62:0d:d1:75:
                    0c:b1:ec:73:6a:12:b4:51:9b
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: md5WithRSAEncryption
        50:aa:20:01:f2:60:29:29:95:89:eb:21:a1:c9:6b:1d:8d:2e:
        4f:35:a8:a0:a0:73:f0:0a:15:40:8c:2d:14:73:62:fc:d3:e3:
        64:d4:ad:dd:62:eb:fe:df:31:cc:23:12:ce:a3:fa:e5:76:b0:
        6f:12:80:40:29:b2:ee:e8:3b:e3:52:cd:90:79:f9:60:ec:4b:
        1f:22:b7:63:46:94:18:dd:f3:00:58:2e:1b:ff:02:5d:2a:8a:
        ca:19:9a:6d:c5:e6:1a:a2:26:15:0c:14:c1:77:e6:c2:ff:6d:
        d4:77:eb:5a:e3:b4:11:ef:48:24:48:64:cd:d3:45:42:0c:72:
        65:45
$

The host.example.com.csr can then be submitted to Gandi, GoDaddy, Verisign, or similar certificate authority. The alternative is to self-sign a certificate for private uses.

References