In this article you’ll find how to generate CSR (Certificate Signing Request) using OpenSSL from the Linux command line, without being prompted for values which go in the certificate’s subject field.
Ways to generate symmetric and asymmetric keys. Ask Question. To generate such a key, use OpenSSL as: openssl rand 16 myaes.key AES-256 expects a key of 256 bit, 32 byte. To generate such a key, use: openssl rand 32 myaes.key – ingenue Oct 12 '17 at 11:57 show 1 more comment.
Below you’ll find two examples of creating CSR using OpenSSL.
In the first example, i’ll show how to create both CSR and the new private key in one command.
And in the second example, you’ll find how to generate CSR from the existing key (if you already have the private key and want to keep it).
Both examples show how to create CSR using OpenSSL non-interactively (without being prompted for subject), so you can use them in any shell scripts.
Use the following command to create a new private key 2048 bits in size example.key
and generate CSR example.csr
from it:
Option | Description |
---|---|
openssl req | certificate request generating utility |
-nodes | if a private key is created it will not be encrypted |
-newkey | creates a new certificate request and a new private key |
rsa:2048 | generates an RSA key 2048 bits in size |
-keyout | the filename to write the newly created private key to |
-out | specifies the output filename |
-subj | sets certificate subject |
Use the following command to generate CSR example.csr
from the private key example.key
:
Option | Description |
---|---|
openssl req | certificate request generating utility |
-new | generates a new certificate request |
-key | specifies the file to read the private key from |
-out | specifies the output filename |
-subj | sets certificate subject |
The magic of CSR generation without being prompted for values which go in the certificate’s subject field, is in the -subj
option.
-subj arg | Replaces subject field of input request with specified data and outputs modified request. The arg must be formatted as /type0=value0/type1=value1/type2=…, characters may be escaped by (backslash), no spaces are skipped. |
The fields, required in CSR are listed below:
Field | Meaning | Example |
---|---|---|
/C= | Country | GB |
/ST= | State | London |
/L= | Location | London |
/O= | Organization | Global Security |
/OU= | Organizational Unit | IT Department |
/CN= | Common Name | example.com |
You’ve created encoded file with certificate signing request.
Now you can decode CSR to verify that it contains the correct information.
For symmetic encryption, you can use the following:
To encrypt:
To decrypt:
For Asymmetric encryption you must first generate your private key and extract the public key.
To encrypt:
To decrypt:
You can't directly encrypt a large file using rsautl
. Instead, do the following:
openssl rand
, e.g. openssl rand 32 -out keyfile
.openssl rsautl
.openssl enc
, using the generated key from step 1.Ultimate solution for safe and high secured encode anyone file in OpenSSL and command-line:
Private key generation (encrypted private key):
With unecrypted private key:
With encrypted private key:
With existing encrypted (unecrypted) private key:
Encrypt binary file:
Encrypt text file:
What is what:
smime
— ssl command for S/MIME utility (smime(1)).-encrypt
— chosen method for file process.-binary
— use safe file process. Normally the input message is converted to 'canonical' format as required by the S/MIME specification, this switch disable it. It is necessary for all binary files (like a images, sounds, ZIP archives).-aes-256-cbc
— chosen cipher AES in 256 bit for encryption (strong). If not specified 40 bit RC2 is used (very weak). (Supported ciphers).-in plainfile.zip
— input file name.-out encrypted.zip.enc
— output file name.-outform DER
— encode output file as binary. If is not specified, file is encoded by base64 and file size will be increased by 30%.yourSslCertificate.pem
— file name of your certificate's. That should be in PEM format.That command can very effectively a strongly encrypt any file regardless of its size or format.
Decrypt binary file:
For text files:
Check for Existing KeysPrior to any installation, it is wise to check whether there are any existing keys on the client machines.Open the terminal and list all public keys stored with the following command: ls -l /.ssh/id.pubThe output informs you about any generated keys currently on the system. Rhel 7 generate ssh host keys.
What is what:
-inform DER
— same as -outform
above.-inkey private.key
— file name of your private key. That should be in PEM format and can be encrypted by password.-passin pass:your_password
— (optional) your password for private key encrypt.Creating a signed digest of a file:
Verify a signed digest: