Search notes:

openssl req

$ openssl req -new -out xyz.csr
Generating a RSA private key
...........................................................................+++++
.+++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:XX
State or Province Name (full name) [Some-State]:zurich
Locality Name (eg, city) []:VVVVVV
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:somewhere.xy
Email Address []:webmaster@somewhere.xy

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ cat xyz.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICoTCCAYkCAQAwXDELMAkGA1UEBhMCY2gxDzANBgNVBAgMBnp1cmljaDEQMA4G
…
XcQTXKnAcP86M1tKMwlzokZlgA1K1qrVZuuHF1zVN2S8zQXCnXn5kc2BOBx03e0r
aiCCNcc=
-----END CERTIFICATE REQUEST-----

Hmmm… what now?

C:\> openssl req -new -out xyz.csr
#
# Can't open Z:/extlib/_2020Q3__/ssl/openssl.cnf for reading, No such file or directory
# 35872:error:02001003:system library:fopen:No such process:crypto/bio/bss_file.c:69:fopen('Z:/extlib/_2020Q3__/ssl/openssl.cnf','r')
# 35872:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:

C:\> openssl req -config ..\..\conf\openssl.cnf -new -out xyz.csr
#
# Error configuring OpenSSL modules
# 33592:error:25078067:DSO support routines:win32_load:could not load the shared library:crypto/dso/dso_win32.c:108:filename(providers.dll)
# 33592:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:162:
# 33592:error:0E07506E:configuration file routines:module_load_dso:error loading dso:crypto/conf/conf_mod.c:224:module=providers, path=providers
# 33592:error:0E076071:configuration file routines:module_run:unknown module name:crypto/conf/conf_mod.c:165:module=providers

Using a given configuration file

csr.conf

FQDN               = somehwere.xy
ORGNAME            = ACME Inc.
ALTNAMES           = DNS:$FQDN , DNS:www.$FQDN

[ req ]
default_bits       = 2048
default_md         = sha256
prompt             = no
encrypt_key        = no
distinguished_name = dn
req_extensions     = req_ext

[ dn ]
C                  = XY            # At most two characters
O                  = $ORGNAME
CN                 = $FQDN
 
[ req_ext ]
subjectAltName     = $ALTNAMES

Create the CSR

$ touch myserver.key
$ chmod 600 myserver.key
$ openssl req -new -config csr.conf -keyout server.key -out server.csr
>>
Generating a RSA private key
.....................+++++
....+++++
writing new private key to 'server.key'
-----

Examine csr file

In the following command, empty.conf references an empty (zero-byte) file:

$ openssl req -config empty.conf -in server.csr -noout -text -nameopt sep_multiline
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject:
            C=XY
            O=ACME Inc.
            CN=somehwere.xy
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:cb:bf:3f:dc:15:50:92:93:ce:da:af:a6:a0:5a:
                    …
                    e1:8f
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:somehwere.xy, DNS:www.somehwere.xy
    Signature Algorithm: sha256WithRSAEncryption
         8d:ea:7a:0b:19:92:d0:36:d5:97:13:c1:8c:7e:90:b3:d0:b5:
         …
         38:1f:bc:fe

TODO

$ openssl asn1parse -in server.csr -inform PEM -i
$ openssl rsa       -in server.key -out priv.key
$ openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

Index