- In order to gain some time, you can now generate your command line with our CSR creation assistant tool. Just copy/paste to finalize! To install a certificate on Apache Windows, you will need a cryptographic tool to generate the private key and the CSR. To do so, you can use 'OpenSSL': Install OpenSSL on a Windows computer. 1- Generate the.
- You may also find it useful to generate another key for HMAC, so you can verify that the encrypted files haven't been tampered with. If you want to do that, you can generate a 128-bit HMAC key, and encrypt and store that with the main AES key.
- The num argument for openssl rand is interpreted as number of bytes, not number of bits. An AES-128 expects a key of 128 bit, 16 byte. To generate such a key, use OpenSSL as: openssl rand 16 myaes.key AES-256 expects a key of 256 bit, 32 byte.
When you run the command openssl enc -ciphers a list of supported ciphers is printed. In more recent versions of the OpenSSL utility the ciphers -id-aes256-wrap, -id-aes256-wrap-pad, and -aes256-wrap appear in that list. I believe these are implementations of the AES Key Wrapping algorithms specified in RFC3394, and RFC5649.
Keys are the basis of public key algorithms and PKI. Keys usually come in pairs, with one half being the public key and the other half being the private key. With OpenSSL, the private key contains the public key information as well, so a public key doesn’t need to be generated separately.
Public keys come in several flavors, using different cryptographic algorithms. The most popular ones associated with certificates are RSA and DSA, and this article will show how to generate each of them.
Generating an RSA key
A RSA key can be used both for encryption and for signing and generating a key is quite easy, all you have to do is the following:
That will generate a private key with is password protected (it will prompt you for the password during generation). If you don’t want it password protected (usually for server side use) then leave the -des3 parameter out, i.e.:
Openssl Key Password
Generating a DSA key
A DSA key can be used for signing only. This is important to keep in mind to know what kind of purposes a certificate request with a DSA key can really be used for.
Generating a key for the DSA algorithm is a two-step process. First, you have to generate parameters from which to generate the key then to generate the key itself.
Again like RSA, 2048 is the size of the key, in bits with anything smaller than 2048 being insecure in todays standards.
Also the -des3 parameter will prompt you for a pass phrase – for server use leave it out:
In this article you’ll find how to generate CSR (Certificate Signing Request) using OpenSSL from the Linux command line, without being prompted for values which go in the certificate’s subject field.
Below you’ll find two examples of creating CSR using OpenSSL.
In the first example, i’ll show how to create both CSR and the new private key in one command.
And in the second example, you’ll find how to generate CSR from the existing key (if you already have the private key and want to keep it).
Both examples show how to create CSR using OpenSSL non-interactively (without being prompted for subject), so you can use them in any shell scripts.
Create CSR and Key Without Prompt using OpenSSL
Use the following command to create a new private key 2048 bits in size example.key and generate CSR example.csr from it:
| Option | Description |
|---|---|
| openssl req | certificate request generating utility |
| -nodes | if a private key is created it will not be encrypted |
| -newkey | creates a new certificate request and a new private key |
| rsa:2048 | generates an RSA key 2048 bits in size |
| -keyout | the filename to write the newly created private key to |
| -out | specifies the output filename |
| -subj | sets certificate subject |
Generate CSR From the Existing Key using OpenSSL
Use the following command to generate CSR example.csr from the private key example.key:
| Option | Description |
|---|---|
| openssl req | certificate request generating utility |
| -new | generates a new certificate request |
| -key | specifies the file to read the private key from |
| -out | specifies the output filename |
| -subj | sets certificate subject |
Automated Non-Interactive CSR Generation
The magic of CSR generation without being prompted for values which go in the certificate’s subject field, is in the -subj option.
| -subj arg | Replaces subject field of input request with specified data and outputs modified request. The arg must be formatted as /type0=value0/type1=value1/type2=…, characters may be escaped by (backslash), no spaces are skipped. |
The fields, required in CSR are listed below:
| Field | Meaning | Example |
|---|---|---|
| /C= | Country | GB |
| /ST= | State | London |
| /L= | Location | London |
| /O= | Organization | Global Security |
| /OU= | Organizational Unit | IT Department |
| /CN= | Common Name | example.com |
You’ve created encoded file with certificate signing request.
Openssl Generate Private Key
Now you can decode CSR to verify that it contains the correct information.