In this "How To" guide, we will show you how to generate your own CSR (Certificate Signing Request) using OpenSSL and Java Keytool.
Important Links:
What is a CSR?
A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate.
It contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate.
- Common Name - This field must contain a fully qualified domain name. Format should be alias/hostname.domainname.com. This must not contain any wildcard characters for the hostname. For example: services.visa.com
- Organization Unit Name - Name of the division within your organization. For example: Debit Card Processing Unit
- Organization Name - Name of your organization. For example: Bank of USA
- Locality Name - A valid city name. For example: San Francisco
- State Name - Name of the state or province where the server is located. For example: California
- Country Name - Two-digit International Standards Organization (ISO) 3166-1 country code. For example: US
A private key is usually created at the same time when you create the CSR, making a key pair. A certificate authority will use a CSR to create your SSL certificate.
You can generate your own CSR using either OpenSSL or the Java Keytool.
Generating CSR Using OpenSSL
OpenSSL is an open-source software library that implements Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as provides basic cryptographic functions and various utilities.
The below OpenSSL command below will generate a 2048-bit RSA private key and CSR:
Generating Your Own CSR for Mutual SSL
openssl req -nodes -newkey rsa:2048 -keyout private-key.pem -out certreq1.csr -subj "/C=<country name>/ST=state name>/L=<city/locality name>/O=<organization name>/OU=<organizational unit>/CN=<common name>/UID=<CSR Unique Id>"
For Mutual SSL, you will need to provide the CSR Unique Id (UID) - This is required for Certification or Production environment only
The UID should be appended with one of the following values:
- Certification environment: <UID>-CERT
- Production environment: <UID>-PROD
To get the CSR Unique Id, go to dashboard, select the Project Name for which you need to generate the CSR, and click on Settings.
Generating Your Own CSR for MLE
For MLE (Message Level Encryption), you will need to add your MLE Key ID while generating the CSR:
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=<country name>/ST=state name>/L=<city/locality name>/O=<organization name>/OU=<organizational unit>/CN=<common name>/UID=<MLE KeyId value>"
Please replace the < > characters and the enclosed values with your own values.
Note: Keep the private key safely, as that would be used later for MLE decryption
If there is a need to decrypt your private key, you can run the following command:
openssl rsa -in private-key.pem -out private-key_rsa.pem
Generating CSR Using Java Keytool
keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication or data integrity and authentication services, using digital signatures.
The keytool command works on any file-based keystore implementation. It treats the keystore location that is passed to it at the command line as a file name.
Below are the steps that needs to perform in case of using keytool command to generate csr.
- First you will need to create a Java Keystore, in PKCS12 format by executing the below command.
GeneratingYour Own CSR for Mutual SSL
keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keystore -storetype PKCS12 clientkeystore.p12 -storepass <password> -keypass <password> -dname "CN=<common name>, OU=<organizational unit>, O=<organization name>, L=<city/locality name>, ST=<state name>, C=<country name>, UID=<CSR Unique Id>"
For Mutual SSL, you will need to provide the CSR Unique Id (UID) when generating the CRS. This is required for Certification or Production environment only
The UID should be appended with one of the following values:
- Certification environment: <UID>-CERT
- Production environment: <UID>-PROD
To get the CSR Unique Id, go to dashboard, select the Project Name for which you need to generate the CSR, and click on Settings.
Generating Your Own CSR for MLE
For MLE (Message Level Encryption), you will need to add your MLE Key ID while generating the CSR:
keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keystore -storetype PKCS12 clientkeystore.p12 -storepass <password> -keypass <password> -dname "CN=<common name>, OU=<organizational unit>, O=<organization name>, L=<city/locality name>, ST=<state name>, C=<country name>, UID=<MLE KeyId value>"
Please replace the < > characters and the enclosed values with your own values.
- Then you will need export/extract your CSR from the keystore to a file in PEM Format
keytool -certreq -alias client -keystore clientkeystore.p12 -storepass <password> -keypass <password> -file certreq1.csr
- You will also have to export/extract the private key from the keystore to a file in PEM Format for MLE:
openssl pkcs12 -in clientkeystore.p12 -nodes -nocerts -out private-key.pem
Note: Keep the private key safely, as that would be used later for MLE decryption
- In case client is using Java for MLE decryption, we need additional below step to decrypt the private key
openssl rsa -in private-key.pem -out private-key_rsa.key
If you have any queries or comments, please let us know in the comment section below.
