How to Generate a CSR for single or multi-domain website.

March 23, 2022 Linux, Security, Sem categoria, Servers, Windows

There are three main types of certificates: domain validated (DV), organization validated (OV), and extended validation (EV).
An authentic authority must obtain the certificate so that users won’t see this message.
Any certificate will provide the same level of protection, no matter the type of validation.

What are the types of certificates? you may ask ?
What are the different types of SSL certificates?

Single Domain SSL Certificates. ...
Wildcard SSL Certificates. ...
Multi-Domain SSL Certificates (MDC) ...
Domain Validation SSL Certificates. ...
Organization Validation SSL Certificates. ...
Extended Validation SSL Certificates.

In this article we will try t explain how to build a CSR.
A Certificate Signing Request or CSR is a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA), like Comodo, Sectigo, Digicert, etc…

Requesting one SSL certificate always implies that the KEY and CSR files have been previously created.
The KEY and the CSR can be generated in or our computer or server. To do this we can use almost any operating system since openssl is present.

There is various ways to generate one CSR, the method that we are going to describe here allow you to generate one CSR for all kind of certificate, acording the needs.
Here is the example of one CSR after being generated :

Inside this text exist the following fields that we have to fill before we generate the CSR.

C (country)
L (locality)
ST (state or province)
O (organization)
OU (organizational unit)
CN (FQDN or domain name list) - This field is the most important one.
STREET (street address)
E (E-mail address)

Now lets do it :

Generate one private KEY.

openssl genrsa -des3 -out myserverkey.key 4096

The previous command initiate the process to generate a new private key to use in the next steps and at the same time ask you to input a password of your choice to protect the private key that will be generted.
Some times this is not pratical, but the good rules demand that is the most correct.
In our case we are not going to use a password. So the command will be :

openssl genrsa -out myserverkey.key 4096

Create one empty file with the name Openssl.cnf.

vi /etc/ssl/openssl.cnf

Inside this file add the following :

[ req ]

default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
reqextensions = v3req

[ dn ]
C = country
ST = stree
L = locality
O = name of the institution
OU = organization Unit name
CN = netostech.com => your FQDN 
emailAddress = umbrellasrv@gmail.com

[ v3_req ]
# Extensions to add to a certificate request
subjectAltName = @alt_names
[alt_names]
DNS.1 = website2.netostech.com => Fill this fiels only if you need that your certificate protect more than one FQDN
DNS.2 = website3.netostech.com => Fill this fiels only if you need that your certificate protect more than one FQDN
DNS.3 = website4.netostech.com => Fill this fiels only if you need that your certificate protect more than one FQDN
DNS.4 = ....

Note : if only need the certificate to protect one single domain we don t need tho add DNS.2,.3,.4…..

Now, save the changes in the file and quit and generate the CSR.

Generate the CSR with the private key generated before.

openssl req -new -out server.csr -key myserverkey.key -config openssl.cnf

After this command run we will have a new file called “server.csr”, and the content of that file will be similliar to the one we demonstrate in the begining of this article.
From now on we can upload the CSR file to one Certify Autority and request one SLL certificate.

Before upload the CSR, we strongly advice to verify the generated CSR and the contents to see if match with the intel inside filled inside the Openssl.cnf build previously.
To do that we use the following command :

openssl req -text -noout -in server.csr

Generate CSR for single or multidomain website in old Windows versions

In Microsoft Windows this is one way, but if you want you have tools to this with graphical enviorment, since Microsoft provid tools for almost everything .

In Windows Server 2003, Windows Server 2003 R2, Windows XP the model (request.inf) that we are going to present should e used.
In this windows versions the SAN fields coul not be TEXT, intead they should be specifyed in Base64-encoded.
The string should be gene like this : b.test.netostech.com,c.test.netostech.com
There is alot of places in the internet where you can generate this encoding for the string…

;----------------- request.inf -----------------

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject ="CN=a.test.netostech.com, OU=Your-organizationUnit, O=Organization_Name, L=Zone, S=cyty, C=Country"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName ="Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[Extensions]
; 2003 Server
2.5.29.17=Yi50ZXN0Lm5ldG9zdGVjaC5jb20sYy50ZXN0Lm5ldG9zdGVjaC5jb20=
Critical=2.5.29.17

[RequestAttributes]

;-----------------------------------------------

Note :
b.test.netostech.com,c.test.netostech.com in BASE64 is Yi50ZXN0Lm5ldG9zdGVjaC5jb20sYy50ZXN0Lm5ldG9zdGVjaC5jb20=

Generate the CSR

Now open a DOS prompt with administrator previledges, and run the following command inside the directory where the request.inf file is.

certreq -new request.inf request.csr

How to Generate a CSR for single or multi-domain website.

Recent Posts

Recent Comments

Archives

Categories

Meta