How to Generate Your Own CSR Using OpenSSL and Java Keytool

shameem
Visa Employee

How to Generate Your Own CSR Using OpenSSL and Java Keytool

In this "How To" guide, we will show you how to generate your own CSR (Certificate Signing Request) using OpenSSL and Java Keytool.

 

Important Links:

 

 

What is a CSR?

 

A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate.

 

It contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate.

 

  • Common Name  - This field must contain a fully qualified domain name. Format should be alias/hostname.domainname.com. This must not contain any wildcard characters for the hostname. For example: services.visa.com
  • Organization Unit Name - Name of the division within your organization. For example: Debit Card Processing Unit
  • Organization Name - Name of your organization. For example: Bank of USA
  • Locality Name - A valid city name. For example: San Francisco
  • State Name - Name of the state or province where the server is located. For example: California
  • Country Name - Two-digit International Standards Organization (ISO) 3166-1 country code. For example: US

 

A private key is usually created at the same time when you create the CSR, making a key pair. A certificate authority will use a CSR to create your SSL certificate.

 

You can generate your own CSR using either OpenSSL or the Java Keytool.

 

1. Generating CSR Using OpenSSL

 

OpenSSL is an open-source software library that implements Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as provides basic cryptographic functions and various utilities.

 

The below OpenSSL command below will generate a 2048-bit RSA private key and CSR:

 

openssl req -nodes -newkey rsa:2048 -keyout private-key.pem -out certreq1.csr -subj "/C=<country name>/ST=state name>/L=<city/locality name>/O=<organization name>/OU=<organizational unit>/CN=<common name>/UID=<CSR Unique Id>"

 

 

CSR Unique Id (UID) - This is required for Certification or Production environment only

The UID should be appended with one of the following values:

 

  • Certification environment: <UID>-CERT
  • Production environment: <UID>-PROD

 

To get the CSR Unique Id, go to dashboard, select the Project Name for which you need to generate the CSR, and click on Settings.

 

For MLE (Message Level Encryption), you will need to add your MLE Key ID while generating the CSR:

 

 

openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=<country name>/ST=state name>/L=<city/locality name>/O=<organization name>/OU=<organizational unit>/CN=<common name>/UID=<MLE KeyId value>"

 

 

Please replace the < > characters and the enclosed values with your own values.

 

Note: Keep the private key safely, as that would be used later for MLE decryption

 

If there is a need to decrypt your private key, you can run the following command:

 

openssl rsa -in private-key.pem  -out private-key_rsa.pem

 

 

2. Generating CSR Using Java Keytool

 

keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication or data integrity and authentication services, using digital signatures.

 

The keytool command works on any file-based keystore implementation. It treats the keystore location that is passed to it at the command line as a file name.

 

Below are the steps that needs to perform in case of using keytool command to generate csr.

 

  • First you will need to create a Java Keystore, in PKCS12 format by executing the below command.

 

keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keystore -storetype PKCS12 clientkeystore.p12 -storepass <password> -keypass <password> -dname "CN=<common name>, OU=<organizational unit>, O=<organization name>, L=<city/locality name>, ST=<state name>, C=<country name>, UID=<CSR Unique Id>"

 

 

For MLE (Message Level Encryption), you will need to add your MLE Key ID while generating the CSR:

 

 

keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keystore -storetype PKCS12 clientkeystore.p12 -storepass <password> -keypass <password> -dname "CN=<common name>, OU=<organizational unit>, O=<organization name>, L=<city/locality name>, ST=<state name>, C=<country name>, UID=<MLE KeyId value>"

 

 

Please replace the < > characters and the enclosed values with your own values.

 

  • Then you will need export/extract your CSR from the keystore to a file in PEM Format

 

keytool -certreq -alias client -keystore clientkeystore.p12 -storepass <password> -keypass <password> -file certreq1.csr

 

 

  • You will also have to cxport/extract the private key from the keystore to a file in PEM Format for MLE:

 

openssl pkcs12 -in clientkeystore.p12 -nodes -nocerts -out private-key.pem

 

Note: Keep the private key safely, as that would be used later for MLE decryption

 

  • In case client is using Java for MLE decryption, we need additional below step to decrypt the private key

 

openssl rsa -in private-key.pem -out private-key_rsa.key

 

 

If you have any queries or comments, please let us know in the comment section below.