Create key pair and certificate request
To create a certificate request, first use a simple text editor to
create the following configuration file in
xxx.cnf
. You may well change the details in the
lines „organizationalUnitName_default“ and
“emailAddress_default” or increase the key size from 2048
up to 4096 bits:
[ req ]
default_bits = 2048
default_keyfile = private.pem
distinguished_name = req_dn
[ req_dn ]
countryName = Country Code
countryName_value = DE
stateOrProvinceName = State or Province
stateOrProvinceName_value = Nordrhein-Westfalen
localityName = Locality
localityName_value = Muenster
organizationName = Organization Name
organizationName_value = Westfaelische Wilhelms-Universitaet Muenster
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_max = 64
organizationalUnitName_default = Institut fuer Physikalische Theologie
commonName = Server Name (eg, www.uni-muenster.de)
commonName_min = 6
commonName_max = 64
commonName_default = xxx.uni-muenster.de
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = xxx@uni-muenster.de
To create a 2048 bit RSA key pair you can use this command:
openssl genrsa -out xxx.key
With this command the private key is written unprotected into the
file xxx.key
. If you want to protect the
private key encrypted with a password, use this command instead:
openssl genrsa -des3 -out xxx.key
(The Triple DES encryption is old but portable and for this purpose
more than safe enough.)
Please consider: If you use an encrypted private key with a server,
you will have to enter the key password each time when the server is
started.
To create a certificate request xxx.req
for
the existing key pair with the private key in
xxx.key
you can then use this command:
openssl req -config xxx.cnf -new -key
xxx.key -out xxx.req
If the private key had been saved encrypted you are asked for the
password.
To create both a new key pair with the private key in
xxx.key
and a certificate request
xxx.req
for this key pair you can use this
command:
openssl req -config xxx.cnf -new -nodes -keyout
xxx.key -out xxx.req
Or without own configuration file:
openssl req -new -newkey rsa:2048 -nodes -keyout
xxx.key -out xxx.req
To save the private key encrypted with Triple DES please omit the
option -nodes
.