Generate a new Certificate Signing Request (CSR)
This guide shows you how to generate a new certificate signing request using OpenSSL on Windows or Linux/Unix operating systems.
Generate a new RSA key pair (e.g. 4096-bit) with openssl:
openssl genrsa -out private.pem 4096 (Not recommended as the key is generated without a password!)
Better alternative, which generates a key with a password:
openssl genrsa -aes128 -passout pass:<passwordgoeshere> -out private.pem 4096
Read more about recommended keys lengths in the Technischen Richtlinien des BSI, alternatively on "Cryptographic Key Length Recommedation"
Generate a new Certificate Signing Request (CSR) with openssl (interactively):
openssl req -new -key private.pem -out request.pem
Please note the following attributes (detailed information in the Certification Guidelines of the DFN-PKI):
| PKI | Attribute | Abbreviation | Examples | Remarks |
|---|---|---|---|---|
| all PKIs | Country Name | C | DE | use capital letters! |
| not for the DFN Grid-PKI | State or Province Name | ST | Nordrhein-Westfalen | Note the exact spelling! |
| not for the DFN Grid-PKI not for the Harica PKI | Locality Name | L | Aachen | Note the exact spelling! |
| Sectigo/Harica PKIs | Organization Name | O | RWTH Aachen University | Note the exact spelling! |
| DFN-Verein Community PKI | Organization Name | O | RWTH Aachen | Note the exact spelling! |
| DFN Grid-PKI | Organization Name | O | GridGermany | Note the exact spelling! |
| only for the DFN Grid-PKI | Organisational Unit | OU | RWTH Aachen | Note the exact spelling! |
| all PKIs | Common Name | CN | www.rz.rwth-aachen.de
pop3.test.rwth-aachen.de | Name of the server as found in DNS. Other FQDNs may be specified as subjectAlternativeName (SaN). |
RFC conformity requires the presence of only one CN.
All further FQDNs must be listed als Subject Alternative Names (subjectAltNames).
You can achieve this with a single OpenSSL command under Unix/Linux:
| Harica CA | openssl req -new -utf8 -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/O=RWTH Aachen University/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de" |
| Sectigo CA | openssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen University/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de" |
| DFN-Verein Community CA | openssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de" |
| DFN Grid-PKI | openssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/O=GridGermany/OU=RWTH Aachen/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de" |
| Windows User (example with Sectigo CA values) | |
| create csr.conf, with input: |
|
execute OpenSSL command: | openssl req -new -key private.pem -config csr.conf -out request.pem |
Further Steps:
- upload your CSR into ra-portal.itc.rwth-aachen.de
- upload your CSR into the DFN-Verein Community PKI
- upload your CSR into the DFN Grid-PKI
