Generating an SSL Cert CSR Using OpenSSL

Earlier we talked about using certbot to generate a Let's Encrypt SSL Cert. These certificates, while being free (very cool), also only have a validity of 90 days (not so cool). This may be an issue to some departments, as the prospect of regenerating a certificate every 3 months is sort of a pain.

So this week, let's go over how to generate an SSL certificate traditional (non-free) way, using OPENSSL for Unix/Linux Systems. This information is in a variety of places, but it's sort of fragmented and not really setup for the Banner Admin.

  1. Verify you have OpenSSL installed.
  2. Open a terminal window (you DO NOT need root access for this)
  3. Type the following command:
openssl req -out my.csr -new -newkey rsa:2048 -keyout my.key

You will then be prompted to answer a series of questions about your institution and hostname:


titan $ openssl req -out my.csr -new -newkey rsa:2048 -keyout my.key 
Generating a 2048 bit RSA private key
.................+++
............................................................................................................................................+++
writing new private key to 'my.key'
Enter PEM pass phrase:   <== enter a password for the private key we will remove this later but you need to do this to proceed. 
Verifying - Enter PEM pass phrase: <== confirm 
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:HL
Locality Name (eg, city) []:Honolulu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Nyquest Consulting, LLC
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:honolulu.nyquest.com  <== enter your servername here. For a wildcard cert type *.domain. And yes I really want to go to Hawaii today...
Email Address []:jchung@nyquest.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  <== leave blank 
An optional company name []:  <== leave blank 
titan $ ls
my.csr	my.key

This will generate two files: the public key CSR and private key (my.csr and my.key, respectively). However the private key will have a password on it, which I find annoying. To remove it do the following: 


titan $ openssl rsa -in my.key -out my_clear.key 
Enter pass phrase for my.key:  <== type the key password that you entered above 
writing RSA key

You will now have a non password protected key file (my_clear.key). Take the CSR and get it signed from some certificate authority (RapidSSL which costs money) to produce the final certificate and then you are done!

The contents of www.nyquest.com are Copyright © 2020 by Nyquest Consulting, LLC.
Ellucian® and Banner® are registered trademarks of Ellucian® Corporation.
Nyquest is not affiliated in any way with Ellucian® .
All Rights Reserved.