Generating certificate signing requests (.csr
/.req
) for server certificates
Certificate Signing Requests (CSRs) can be created with multiple tools. On this page, we describe the most commonly used ones — GnuTLS, OpenSSL, Java Keystore and Windows certutil.
Configure Certificate
Please enter the hostname for which you want to request a certificate:
Select algorithm and key strength for private key:
Using OpenSSL (version 3.x required), you can generate a key and the related CSR using the command line.
FQHN
is the Fully Qualified Host Name.
openssl req -newkey EC -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve -noenc \
-out 'FQHN.req' \
-keyout 'FQHN.key' \
-subj '/CN=FQHN'
The parameter -noenc
is used in order to save the private key without encryption.
This is useful for most server applications.
Otherwise, you will need to enter the passwort on every start of the application or at worst render the application unable to start.
In order to save the private key encrypted with a password, just leave out the -noenc
parameter.
In order to add Subject Alternative Names (SANs), the following command can be used.
Make sure to change the hostnames to the ones you actually need.
Every hostname must be prefixed with DNS:
, multiple entries must be seperated by a ,
.
Configure Certificate
Please enter the hostname for which you want to request a certificate:
Select algorithm and key strength for private key:
With GnuTLS, you can generate a key and the related CSR using the command line.
FQHN
is the Fully Qualified Host Name.
Use the following command in order to generate the private key:
Create a template file named FQHN.txt
containing the following content:
organization = "Karlsruhe Institute of Technology"
locality = "Karlsruhe"
state = "Baden-Wuerttemberg"
country = DE
cn = "FQHN"
dns_name = "FQHN"
In order to add Subject Alternative Names (SANs), add additional dns_name
lines to the previously created template file FQHN.txt
:
You can now create the CSR:
_!!! note “Configure Certificate”
Please enter the hostname for which you want to request a certificate:
Select algorithm and key strength for private key:
<input data-input-for="JAVACERTTOOL_KEY_TYPE">
First, you need to generate a key pair (private and public key). This is done with the following command:
keytool -genkey \
-alias 'FQHN' \
-dname 'CN=FQHN' \
-keyalg EC -groupname secp384r1 \
-keystore 'FQHN.keystore'
Using this keypair, you can now create the CSR:
Configure Certificate
Please enter the hostname for which you want to request a certificate:
Select algorithm and key strength for private key:
Info
Nobody at KIT-CA uses this way of CSR generation, therefore we have next to no experience with it. If there are any problems, it might help to check out the official documentation (certreq.exe, certutil.exe).
On Windows, you can also create CSRs using the command line. In order to do so, you first need to create a file named FQHN.txt with the following content:
[NewRequest]
Exportable = TRUE
KeyAlgorithm = ECDSA_P384
HashAlgorithm = sha256
MachineKeySet = TRUE
Subject = "CN=FQHN"
RequestType = PKCS10
UserProtected = FALSE
In order to add Subject Alternative Names (SANs), add an additional section [Extensions]
to the previously created FQHN.txt
with the required hostnames (each between _continue_ = "DNS=
und &"
):
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=eiterer-hostname.ifmb.kit.edu&"
_continue_ = "DNS=och-ein-hostname.ifmb.kit.edu&"
The CSR can now be generated with the following command.
This overrides and previously existing file named FQHN.req
with the new file.
You can look at the generated CSR using: