In this "How To" guide, we will show you how to generate your own CSR (Certificate Signing Request) using OpenSSL and Java Keytool.
A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate.
It contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate.
A private key is usually created at the same time when you create the CSR, making a key pair. A certificate authority will use a CSR to create your SSL certificate.
You can generate your own CSR using either OpenSSL or the Java Keytool.
OpenSSL is an open-source software library that implements Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as provides basic cryptographic functions and various utilities.
The below OpenSSL command below will generate a 2048-bit RSA private key and CSR:
openssl req -nodes -newkey rsa:2048 -keyout private-key.pem -out certreq1.csr -subj "/C=<country name>/ST=state name>/L=<city/locality name>/O=<organization name>/OU=<organizational unit>/CN=<common name>/UID=<CSR Unique Id>"
For Mutual SSL, you will need to provide the CSR Unique Id (UID) - This is required for Certification or Production environment only
The UID should be appended with one of the following values:
To get the CSR Unique Id, go to dashboard, select the Project Name for which you need to generate the CSR, and click on Settings.
For MLE (Message Level Encryption), you will need to add your MLE Key ID while generating the CSR:
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=<country name>/ST=state name>/L=<city/locality name>/O=<organization name>/OU=<organizational unit>/CN=<common name>/UID=<MLE KeyId value>"
Please replace the < > characters and the enclosed values with your own values.
Note: Keep the private key safely, as that would be used later for MLE decryption
If there is a need to decrypt your private key, you can run the following command:
openssl rsa -in private-key.pem -out private-key_rsa.pem
keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication or data integrity and authentication services, using digital signatures.
The keytool command works on any file-based keystore implementation. It treats the keystore location that is passed to it at the command line as a file name.
Below are the steps that needs to perform in case of using keytool command to generate csr.
keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keystore -storetype PKCS12 clientkeystore.p12 -storepass <password> -keypass <password> -dname "CN=<common name>, OU=<organizational unit>, O=<organization name>, L=<city/locality name>, ST=<state name>, C=<country name>, UID=<CSR Unique Id>"
For Mutual SSL, you will need to provide the CSR Unique Id (UID) when generating the CRS. This is required for Certification or Production environment only
The UID should be appended with one of the following values:
To get the CSR Unique Id, go to dashboard, select the Project Name for which you need to generate the CSR, and click on Settings.
For MLE (Message Level Encryption), you will need to add your MLE Key ID while generating the CSR:
keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keystore -storetype PKCS12 clientkeystore.p12 -storepass <password> -keypass <password> -dname "CN=<common name>, OU=<organizational unit>, O=<organization name>, L=<city/locality name>, ST=<state name>, C=<country name>, UID=<MLE KeyId value>"
Please replace the < > characters and the enclosed values with your own values.
keytool -certreq -alias client -keystore clientkeystore.p12 -storepass <password> -keypass <password> -file certreq1.csr
openssl pkcs12 -in clientkeystore.p12 -nodes -nocerts -out private-key.pem
Note: Keep the private key safely, as that would be used later for MLE decryption
openssl rsa -in private-key.pem -out private-key_rsa.key
If you have any queries or comments, please let us know in the comment section below.
Thanks for giving a guide about how to Generate CSR Using OpenSSL and Java Keytool, it really helped a lot.
when you say "alias/hostname", are we actually including "alias/" before our domain's name? This step is somewhat confusing, because the sample clearly just states that it's the URL of the domain, not including "alias."