You are located in service: Public Key Certificates

Generate a new Certificate Signing Request (CSR)

Generate a new Certificate Signing Request (CSR)

This guide shows you how to generate a new certificate signing request using OpenSSL on Windows or Linux/Unix operating systems.


Linux/ Unix

Generate a new RSA key pair (e.g. 4096-bit) with openssl:

openssl genrsa -out private.pem 4096 (Not recommended as the key is generated without a password!)

Better alternative, which generates a key with a password:

openssl genrsa -aes128 -passout pass:<passwordgoeshere> -out private.pem 4096

Read more about recommended keys lengths in the Technischen Richtlinien des BSI, alternatively on "Cryptographic Key Length Recommedation"

Generate a new Certificate Signing Request (CSR) with openssl (interactively):

openssl req -new -key private.pem -out request.pem

Please note the following attributes (detailed information in the Certification Guidelines of the DFN-PKI):

PKIAttributeAbbreviationExamplesRemarks
all PKIsCountry NameCDEuse capital letters!
not for the DFN Grid-PKIState or Province NameSTNordrhein-WestfalenNote the exact spelling!
not for the DFN Grid-PKI
not for the Harica PKI
Locality NameLAachenNote the exact spelling!
Sectigo/Harica PKIsOrganization NameORWTH Aachen UniversityNote the exact spelling!
DFN-Verein Community PKIOrganization NameORWTH AachenNote the exact spelling!
DFN Grid-PKIOrganization NameOGridGermanyNote the exact spelling!
only for the DFN Grid-PKIOrganisational UnitOURWTH AachenNote the exact spelling!
all PKIsCommon NameCNwww.rz.rwth-aachen.de

pop3.test.rwth-aachen.de

Name of the server as found in DNS. Other FQDNs may be specified as subjectAlternativeName (SaN).

RFC conformity requires the presence of only one CN.

All further FQDNs must be listed als Subject Alternative Names (subjectAltNames).

You can achieve this with a single OpenSSL command under Unix/Linux:

Harica CAopenssl req -new -utf8 -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/O=RWTH Aachen University/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de"
Sectigo CAopenssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen University/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de"
DFN-Verein Community CAopenssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de"
DFN Grid-PKIopenssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/O=GridGermany/OU=RWTH Aachen/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de"
 
 Windows User (example with Sectigo CA values)
create csr.conf, with input:
  • prompt = no
  • distinguished_name = req_distinguished_name
  • req_extensions = req_ext
  • [req_distinguished_name]
    • C=DE
    • ST=Nordrhein-Westfalen
    • L=Aachen
    • O=RWTH Aachen University
    • CN=name1.domain.rwth-aachen.de
  • [req_ext]
    • subjectAltName = @alt_names
  • [alt_names]
    • DNS.1 = name1.domain.rwth-aachen.de
    • DNS.2 = name2.domain.rwth-aachen.de

execute OpenSSL command:

openssl req -new -key private.pem -config csr.conf -out request.pem

Further Steps:

 

last changed on 01/24/2025

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License