How to generate a Certificate Signing Request (CSR)

Overview

As part of establishing TLS/SSL (Transport Layer Security/Secure Sockets Layer) for your server communication, you will need to install a signed certificate that verifies the identity of your server. You do this by generating a Certificate Signing Request (CSR), which is a file containing information about your server that functions as a request for a signed certificate.

Usually, you send the CSR to a Certificate Authority in order to receive a trusted signed certificate that browsers will be able to verify when communication is made to your server. You can also sign the CSR yourself but this will cause browsers to display warning messages to users attempting to reach your server until they explicitly grant their browsers permission to communicate with it. For this reason it is recommended only to self-sign for testing purposes or only if your server needs to be reached internally.

Use the following instructions to generate a CSR for your server. To generate a CSR in IIS on Windows, see the following article: How to generate a CSR (Certificate Signing Request) using IIS.

Environment

  • Operating System: Windows, Linux, Mac OS X

Instructions

1. (Windows Only Step)
Create a working directory by using the following commands in a Command Prompt window:

cd c:\
mkdir ssl
cd c:\ssl


Copy the file openssl.cnf to your working directory with the following command, replacing <product name> with the name of your product (such as, Enterprise Server):

copy "C:\Program Files (x86)\Aspera\<product name>\etc\openssl.cnf" "C:\ssl\"

 

2. Generate your private key and Certificate Signing Request (CSR) for your server using OpenSSL.

Use the following commands, where key_name.key is the name of the private key you are creating and csr_name.csr is the name of your CSR:

Linux and Mac OS X
openssl req -new -nodes -newkey rsa:2048 -keyout key_name.key -out csr_name.csr

Windows
openssl req -config "c:\ssl\openssl.cnf" -new -nodes -newkey rsa:2048 -keyout key_name.key -out csr_name.csr


You will be prompted to input information after entering this command, which will become the attributes for your X.509 certificate. There are a couple of things to note while entering this information:

  • The common name entry must be filled with the fully qualified domain name (FQDN) of your server in order for it to be protected by TLS/SSL. For example, if your server is at server.example.com, use this entire name, not just example.com.
  • If you are generating a certificate for an organization outside the US, use the appropriate 2 letter ISO country code. For a list of ISO codes, see https://www.iso.org/obp/ui/#search
  • You will be prompted to enter “extra” attributes, including an optional challenge password. It can be problematic in some situations to manually enter a challenge password when starting the server, so you can skip entering one by hitting the enter button.


The private key and CSR will be saved to your root directory. If you make a mistake during this step, you can delete the generated files and run the command again.

3. (optional) Send your CSR to a trusted Certificate Authority.

4. (optional) If you will not be sending your CSR to a Certificate Authority or are waiting for your trusted signed certificate to be sent to you, you can generate a self-signed certificate with the below command, which is good for 365 days. Replace my_csr_name.csr with the name of your CSR, my_key_name.key with the name of the private key used to create the CSR, and my_cert_name.crt with your desired signed certificate name:

openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -out my_cert_name.crt
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk