Generate a new Certificate Signing Request (CSR)
Linux/ Unix
Generate a new RSA key pair (e.g. 4096-bit) with openssl:
openssl genrsa -out private.pem 4096
Read more about recommended keys lengths in the Technischen Richtlinien des BSI, alternatively on "Cryptographic Key Length Recommedation"
Generate a new Certificate Signing Request (CSR) with openssl:
openssl req -new -key private.pem -out request.pem
Please note the following attributes (detailed information in the Certification Guidelines of the DFN-PKI):
| Attribute | Abbreviation | Examples | Remarks |
|---|---|---|---|
| Country Name | C | DE | please use capital letters |
| State or Province Name | ST | Nordrhein-Westfalen | Note the exact spelling! |
| Locality Name | L | Aachen | Note the exact spelling! |
| Organization Name | O | RWTH Aachen | Note the exact spelling! |
| Organizational Unit Name | OU | not supported since Dec.2021 | From December 2021 onwards, all OUs will be automatically filtered out of the DN in CSRs submitted to the DFN-PKI. This is in compliance with the newest CA/Browser Forum requirements. |
| Common Name | CN | www.rz.rwth-aachen.de pop3.test.rwth-aachen.de | Name of the server as it is entered in the DNS. Other names should be entered as subjectAlternativeName (SaN). |
RFC conformity requires the presence of only one CN. All further FQDNs must be listed als Subject Alternative Names (subjectAltNames). You can achieve this with the following OpenSSL command under Unix/Linux:
openssl req -new -key private.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/CN=name.rwth-aachen.de" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:name1.rwth-aachen.de,DNS:name2.rwth-aachen.de"))
Windows system
| Windows system | |
| generate csr.conf file, enter the following | prompt = no distinguished_name = req_distinguished_name req_extensions = req_ext [req_distinguished_name] C=DE ST=Nordrhein-Westfalen L=Aachen O=RWTH Aachen CN=name1.domain.rwth-aachen.de [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = name1.domain.rwth-aachen.de DNS.2 = name2.domain.rwth-aachen.de |
| execute the OpenSSL command | openssl req -new -key private.pem -config csr.conf -out request.pem |
