Shulou(Shulou.com)06/01 Report--

How to generate csr files

CSR,Certificate Signing Request is a necessary step in making a SSL certificate. A CSR file describes the SSL certificate holder's information (such as personal name or company name), contact address, etc., which is used to verify that the SSL certificate and domain name are held by the same person to ensure the legitimacy of the website.

Before applying for a digital certificate, you must create a certificate private key and a certificate request file (CSR,Cerificate Signing Request). CSR is the original file of your public key certificate, which contains your server information and your organization information, and needs to be submitted to CA certification authority. The private key file will be generated when the CSR file is generated. Please take good care of and back up your private key.

When generating CSR files, you generally need to enter the following information (UTF8 encoding is required in Chinese):

Organization Name (O): the legal name of the applicant, which can be in Chinese or English

Organization Unit (OU): the department of the applicant, which can be in Chinese or English

Country Code (C): the country to which the applicant belongs, which can only be a two-letter country code, for example, China can only be: CN

State or Province (S): the name of the province or state where the applicant is located, which can be in Chinese or English

Locality (L): the name of the city where the applicant is located, which can be in Chinese or English

Common Name (CN): the specific domain name of the website applying for the SSL certificate

one。 Use the OpenSSL tool to generate the CSR file:

Openssl req-new-nodes-sha256-newkey rsa:2048-keyout myprivate.key-out mydomain.csr

-new specifies to generate a new CSR,nodes specifies that the private key file is not encrypted, sha256 specifies the digest algorithm, keyout generates the private key, newkey rsa:2048 specifies the private key type and length, and finally generates the CSR file mydomain.csr.

The information you need to enter is as follows:

Field description example Country NameISO country code (two characters) CNState or Province Name province ZheJiangLocality Name city HangZhouOrganization Name company name HangZhou xxx Technologies, Inc.Organizational Unit Name department name IT Dept.Common Name domain name for certificate application www.example.comEmail Address does not need to be entered A challenge password

After completing the input of the command prompt, two files, myprivate.key (private key file) and mydomain.csr (CSR, certificate request file) are generated in the current directory.

When using the openssl tool to generate Chinese certificates, you need to pay attention to the Chinese encoding format, use utf8 encoding, and specify to support the utf8 format when compiling the openssl tool.

If there is a need for Chinese, it is recommended that you use the keytool tool.

Use the keytool tool to generate the CSR file: 1. The certificate file keystore contains the key. Please refer to the mainstream digital certificate format for the key export method.

Keytool-genkey-alias mycert-keyalg RSA-keysize 2048-keystore / mydomain.jks

Keyalg is the key type, must be RSA, keysize is the key length of 2048, alias is the certificate alias customizable, and keystore is the path to save the certificate file.

First enter the certificate protection password, and then enter:

Problem description example What is your first and last name? The domain name www.example.comWhat is the name of your organizational unit that applied for the certificate? Department name IT Dept.What is the name of your organization? Company name HangZhou xxx Technologies,Ltd.What is the name of your City or Locality? HangZhouWhat is the name of your State or Province in the city? Province ZheJiangWhat is the two-letter country code for this unit?ISO country code (two characters) CN

After the input is complete, confirm that the input is correct: [no]: y (enter Y)

Then prompt for the key password, which can be the same as the certificate password, and press enter directly if it is consistent.

2 generate a certificate request through the certificate file:

Keytool-certreq-sigalg SHA256withRSA-alias mycert-keystore. / mydomain.jks-file. / mydomain.csr

Sigalg is the summary algorithm, using SHA256withRSA, alias is the alias, which must be the same as the alias in step 2.1.The keystore is the certificate file, file is the certificate request file (CSR), and then prompt for the certificate password to generate the mydomain.csr.

It should be noted that we have a strict requirement on the key length of CSR, which is 2048 bits, and the key type must be RSA. If the application certificate is a multi-domain name or a wildcard subdomain name, click "Common Name" or "What is your first and last name?" You only need to enter one domain name in the field (you can enter "* .example.com" for wildcard subdomains, etc.).

2. Apache generates certificate request file (CSR file)

(1) method 1 (through tools)

This method is very simple, through our [Digital Certificate tool-> online generate CSR tool] to generate CSR:

1. Enter relevant parameters

2. Click the "generate CSR" button. If the above parameter OK, the following conversion result appears, and then copy or download the corresponding CSR file (certreq.csr) and Key file (mykey.key).

(if the above "mailbox" parameter is filled in, the server automatically sends the resulting CSR file and the corresponding Key file to your mailbox)

3. Back up the private key and submit the certificate request (CSR)

Send the generated certreq.csr file to the EVTrust support@evtrust.com mailbox, back up the mykey.key file, and wait for the certificate to be issued.

(note: do not delete the mykey.key file before you receive the certificate issuance email and deploy the SSL to avoid the loss of the private key and the certificate cannot be installed. )

(2) method 2 (through the command line)

The method is based on the command line and is generated by the openssl tool:

(the bold part of the example is customizable and can be modified according to the actual configuration.)

1. Install openssl

To download the openssl installation package, please refer to the official openssl website: http://www.openssl.org/source/; or other websites that provide downloads.

2. Generate a private key

Openssl genrsa-out D:\ mykey.key 2048

# run the openssl command to generate a 2048-bit long private key mykey.key file. If you need to add a protection password to mykey.key, use the-des3 extension command. Encrypted private key is not supported in Windows environment. When using encrypted private key in Linux environment, you need to enter the private key password every time you restart Apache (for example: openssl genrsa-des3-out mykey.key 2048).

3. Generate a certificate request file (CSR)

Openssl req-new-subj "/ CN=www.evtrust.com/OU=" IT Dept "/ O =" Shenzhen EVTrust Co.,Ltd. "/ L=Shenzhen/ST=Guangdong/C=CN"-key D:\ mykey.key-out D:\ certreq.csr

Or

Openssl req-new-key D:\ mykey.key-out D:\ certreq.csr # after entering the command, exit the car

-> Country Name: # the ISO standard code of your country. China is CN.

-> State or Province Name: / / the province / autonomous region / municipality directly under the Central Government where your unit is located, such as Guangdong

-> Locality Name: / / the city / county / district where your company is located, for example: Shenzhen

-> Organization Name: / / legal name of your organization / organization / enterprise, such as Shenzhen EVTrust Co.,Ltd.

-> Organizational Unit Name: / / Department name, for example: IT Dept

-> Common Name: / / common name, such as www.evtrust.com; this must exactly match the domain name used when you access the server that provides the SSL service.

-> Email Address: / / your email address. You don't need to enter it. Just enter and skip it.

-> "extra" attributes / / the following information does not need to be entered. Enter skip until the command is executed.

4. Back up the private key and submit the certificate request (CSR)

Send the generated certreq.csr file to the EVTrust support@evtrust.com mailbox, back up the mykey.key file, and wait for the certificate to be issued.

(note: do not delete the mykey.key file before you receive the certificate signing email and deploy the SSL to avoid losing the private key.

Global trusted CA institutions

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.