You are located in service: Certificates

Generate a new Certificate Signing Request (CSR)

Generate a new Certificate Signing Request (CSR)

Linux/ Unix

Generate a new RSA key pair (e.g. 4096-bit) with openssl:

openssl genrsa -out private.pem 4096

Read more about recommended keys lengths in the Technischen Richtlinien des BSI, alternatively on "Cryptographic Key Length Recommedation"

Generate a new Certificate Signing Request (CSR) with openssl:

openssl req -new -key private.pem -out request.pem

Please note the following attributes (detailed information in the Certification Guidelines of the DFN-PKI):

AttributeAbbreviationExamplesRemarks
Country NameCDEplease use capital letters
State or Province NameSTNordrhein-WestfalenNote the exact spelling!
Locality NameLAachenNote the exact spelling!
Organization NameORWTH AachenNote the exact spelling!
Organizational Unit NameOU

not supported since Dec.2021

From December 2021 onwards, all OUs will be automatically filtered out of the DN in CSRs submitted to the DFN-PKI. This is in compliance with the newest CA/Browser Forum requirements.

Common NameCNwww.rz.rwth-aachen.de

pop3.test.rwth-aachen.de

Name of the server as it is entered in the DNS. Other names should be entered as subjectAlternativeName (SaN).

RFC conformity requires the presence of only one CN. All further FQDNs must be listed als Subject Alternative Names (subjectAltNames). You can achieve this with the following OpenSSL command under Unix/Linux:

openssl req -new -key private.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/CN=name.rwth-aachen.de" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:name1.rwth-aachen.de,DNS:name2.rwth-aachen.de"))

Windows system

 Windows system
generate csr.conf file, enter the following

prompt = no

distinguished_name = req_distinguished_name

req_extensions = req_ext

 

[req_distinguished_name]

C=DE

ST=Nordrhein-Westfalen

L=Aachen

O=RWTH Aachen

CN=name1.domain.rwth-aachen.de

 

[req_ext]

subjectAltName = @alt_names

 

[alt_names]

DNS.1 = name1.domain.rwth-aachen.de

DNS.2 = name2.domain.rwth-aachen.de

execute the OpenSSL commandopenssl req -new -key private.pem -config csr.conf -out request.pem
 

last changed on 03/30/2022

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License