Generating certificate signing requests (.csr/.req) for server certificates

Certificate Signing Requests (CSRs) can be created with multiple tools. On this page, we describe the most commonly used ones - GnuTLS, OpenSSL, Java Keystore and Windows certutil.

OpenSSLGnuTLSJava Keystorecertutil (Windows)

Please enter the hostname for which you want to request a certificate:

Using OpenSSL, you can generate a key and the related CSR using the command line. FQHN is the Fully Qualified Host Name.

openssl req -newkey rsa:4096 \
 -out FQHN.req \
 -keyout FQHN.key \
 -nodes \
 -subj '/CN=FQHN'

The parameter -nodes is used in order to save the private key without encryption. This is useful for most server applications. Otherwise, you will need to enter the passwort on every start of the application or at worst render the application unable to start. In order to save the private key encrypted with a password, just leave out the -nodes parameter.

In order to add Subject Alternative Names (SANs), the following command can be used. Make sure to change the hostnames to the ones you actually need. Every hostname must be prefixed with DNS:, multiple entries must be seperated by a ,.

openssl req -newkey rsa:4096 \
 -out FQHN.req \
 -keyout FQHN.key \
 -nodes \
 -subj '/CN=FQHN' \
 -addext 'subjectAltName = DNS:weiterer-hostname.ifmb.kit.edu,DNS:noch-ein-hostname.ifmb.kit.edu'

Please enter the hostname for which you want to request a certificate:

With GnuTLS, you can generate a key and the related CSR using the command line. FQHN is the Fully Qualified Host Name.

Use the following command in order to generate the private key:

certtool --generate-privkey --outfile FQHN.key

Create a template file named FQHN.txt containing the following content:

organization = "Karlsruhe Institute of Technology"
locality = "Karlsruhe"
state = "Baden-Wuerttemberg"
country = DE
cn = "FQHN"
dns_name = "FQHN"

In order to add Subject Alternative Names (SANs), add additional dns_name lines to the previously created template file FQHN.txt:

dns_name = "additional-hostname.ifmb.kit.edu"
dns_name = "another-hostname.ifmb.kit.edu"

You can now create the CSR:

certtool --generate-request --hash SHA256 --no-text \
 --load-privkey FQHN.key \
 --template FQHN.txt \
 --outfile FQHN.req

Please enter the hostname for which you want to request a certificate:

First, you need to generate a key pair (private and public key). This is done with the following command:

keytool -genkey \
 -alias FQHN \
 -dname "CN=FQHN" \
 -keyalg RSA \
 -keysize 4096 \
 -keystore FQHN.keystore

Using this keypair, you can now create the CSR:

keytool -certreq \
 -alias FQHN \
 -file FQHN.req \
 -keystore FQHN.keystore

Please enter the hostname for which you want to request a certificate:

Wichtig

Noone working at KIT-CA uses this way of CSR generation, therefore we have next to no experience with it. If there are any problems, it might help to check out the official documentation (certreq.exe, certutil.exe).

On Windows, you can also create CSRs using the command line. In order to do so, you first need to create a file named FQHN.txt with the following content:

[NewRequest]
Exportable = TRUE
KeyLength = 4096
HashAlgorithm = sha256
MachineKeySet = TRUE
Subject = "CN=FQHN"
RequestType = PKCS10
UserProtected = FALSE

In order to add Subject Alternative Names (SANs), add an additional section [Extensions] to the previously created FQHN.txt with the required hostnames (each between _continue_ = "DNS= und &"):

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=<b>weiterer-hostname.ifmb.kit.edu</b>&"
_continue_ = "DNS=<b>noch-ein-hostname.ifmb.kit.edu</b>&"

Die CSR can now be generated with the following command. This overrides and previously existing file named FQHN.req with the new file.

certreq -new FQHN.txt FQHN.req

You can look at the generated CSR using:

certutil -dump FQHN.req