Generate a CSR Certificate Signing Request in Linux

Introduction

Generating a Certificate Signing Request (CSR) for Secure Sockets Layer (SSL) Certificate in Linux are common on most of the Linux distributions. In case if we need a certificate for Apache service facing internet or an Internal FTP server in your organization required a secure file transfer by eliminating plain text transfer on your network. In the first place, we can’t ignore using SSL certificate since let’s encrypt made it available for free.

A Collaborative Project from Linux Foundation provided letsencrypt.org for free of cost, This can be used for any type of websites or in any place where you required to encrypt the communications. To create an SSL certificate first we need to generate a CSR file and submit with the certificate authority.

There are two types of certificates they are Self Signed Certificate and CA Authorized Certificate.

SSL Certificate

Self Signed Certificate

  • A self-signed certificate is one signed with its own private key because we don’t have a plan to signed by a CA.
  • Self-signed certificates are valid for 1 year we need to renew once it about to expire.
  • A local certificate authority server in your environment will help to create an SSL certificate to use with in the organization.
  • Can be used for any locally deployed applications and FTP servers etc.

Certificate Authorized CA

  • A trusted third party entity that issues digital certificates.
  • It Can be used on internet-facing servers for data encryption, Example website using HTTPS.
  • The validity period of the certificate depends on the plan we are choosing.
  • Required domain validation to issue any CA certificates.

Generate a Certificate Signing Request (CSR)

Navigate to below location. In case if you are creating for web server create a directory in any name location you wish.

# cd /etc/pki/tls/certs

Start to generate CSR by running OpenSSL command with options and arguments.

# openssl req -new -newkey rsa:2048 -nodes -keyout domain_name.com.key -out domain_name.com.csr
OPTIONS AND DESCRIPTIONS AS FOLLOWS
Options
Description
-new
New request
-newkey rsa:2048
To create a RSA key and certificate in one go with 2048 bit.
-nodes
Don’t encrypt the output key
-keyout outfile
File to send the key to domain_name.com.key
-days +int
Number of days cert is valid for
-out
Output file

Running the above command using interactive mode without manual intervention.

# openssl req -nodes -newkey rsa:2048 -keyout domain_name.com.key -out domain_name.com.csr -subj "/C=IN/ST=TamilNadu/L=Chennai/O=Linux Sysadmins/OU=IT/CN=linuxsysadmins.local/Street=Chennai 01"

In the above step we used “-nodes” which will not encrypt the output key. If you have not used the -nodes option we need to follow with below steps to remove the passphrase from the key file.

Removing Passphrase from the Key file

Removing Passphrase from the Key file, Make sure to back up the original file before making any changes.

# sudo cp -v /etc/pki/tls/certs/domain_name.com.{key,original}

Remove the passphrase from key-file and save the output in a new file.

# sudo openssl rsa -in /etc/pki/tls/certs/domain_name.com.original -out /etc/pki/tls/certs/domain_name.com.key

Once we removed the passphrase validate the new file and remove the backup file.

# sudo rm -v /etc/pki/tls/certs/domain_name.com.original

If you need to sign with a CA (Verisign)we need to submit above CSR with some providers to get the.CRT file in emails. If not and only you required inside your organization then follow with below steps.

Creating the “.crt” Certificate file

# sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/domain_name.com.csr -signkey /etc/pki/tls/certs/domain_name.com.key -out /etc/pki/tls/certs/domain_name.com.crt
OPTIONS AND DESCRIPTIONS AS FOLLOWS
Options
Description
X.509
Certificate Data Management.
-req
PKCS#10 X.509 Certificate Signing Request (CSR) Management.
-days
How long the certificate needs to be valid.
-in
Input file of csr
-signkey
self sign certificate key file
-out
Output of the final SSL certificate

Removing the CSR file

Now it’s time to remove the.CSR file. It’s safe to remove the.CSR after done with all above steps. Hereafter we required only “.CRT” and key files.

# sudo rm -v /etc/pki/tls/certs/domain_name.com.csr

Restrict permission for SSL Certificate:

Change the permission of SSL certificate to the only read and write by the root user.

# sudo chmod 600 /etc/pki/tls/certs/domain_name.com.crt.*

That’s it we have generated with a CSR file and submitted to CA for getting our SSL certificate.

Conclusion

To have secure communication between web server and visitors is most important by implementing an SSL certificate. We have gone through two types of certificates if you have any concern to add few points those are most welcome. Subscribe to our newsletter and stay with us.