Creating a certificate signing request

Overview

This post is going to cover the process of creating a certificate signing request in a few simple ways, and why you might want to.

If you have a blog or website, you’ll want to have any data protected from prying eyes by encrypting the contents with Transport Layer Security (TLS). To achieve that you’ll need an SSL certificate. SSL refers to the Secure Sockets Layer, the original security protocol developed by Netscape, but replaced by TLS.

A good reason for wanting to encrypt data is that Google will favour web sites that use encryption over those that don’t, and savvy users will appreciate secure sites too.

You can use SSL certificates for a whole host of things apart from just securing web sites such as validating endpoints of VPN (Virtual Private Network) tunnels and encrypting email traffic.

Use case for generating a Certificate Signing Request

When you create a website it needs to be hosted with a service provider unless you choose to host it on your own servers. Either way, you’ll need an SSL certificate. Some providers make the process easier than others. The graphic below from Fasthosts shows the requirements needed to obtain a certificate.

Requirements from fasthosts including creating a certificate signing request.
Requirements for a certificate signing request

Note the last point “Generate a Certificate Signing request”.

1; So, given that you need to go through the process of generating a CSR, what information is required for a properly formatted request. We can inspect any certificate from any website by clicking the padlock icon in the browser navigation bar.

Pop up shown after clicking the padlock icon in the Edge browser bar
Click the padlock icon and select Certificate

In the above image, we can see the certificate is “valid” so we know it matches the website address, it is within date, and it is signed by an authority that our browser trusts.

Certificate details showing Subject, Subject Alternative Names and the certificate path.
Certificate details.

2; After clicking the Certificate icon in the pop-up we get the Certificate window shown above. We can select and see various things such as the Subject, Subject Alternative Names, and the Certificate Path. You probably don’t need to worry about the Subject Alternative names if your only securing a single domain name because most certificates will include both www.yoursite.com as well as yoursite.com.

As you can see, the subject contains the fields, CN (Common Name), O (Organization), OU (Organizational Unit), L (Locale or City), S (State or Province) and C (Country Name), Some certificates have more fields, but even those above aren’t all required.

The CN is the critical one and it must match the URL (Uniform Resource Locator) of the website so if the website it is to be used for is techiedoodah.com, then the CN has to be techiedoodah.com

The only other field you’ll need to worry about is the Subject Alternative Name. You might want to include techiedoodah.com and www.techiedoodah.com (replace techiedoodah.com with your website name).

Generating a Certificate Signing Request online

3; To secure a domain we only need a basic certificate, and two sites that provide online generators are https://csrgenerator.com/ and https://www.gogetssl.com/online-csr-generator/

Generating a certificate signing request online with gogetssl.com
gogetssl.com online certificate generator

4; Simply fill in the fields and click on Generate CSR.

Output from the gogetssl online certificate generator
gogetssl.com CSR Generator output

5; Copy and paste the certificate into a text editor like notepad and save it somewhere for safekeeping.

For advanced certificate manipulation, you can install a program called OpenSSL on your computer and use that to generate certificate signing requests. You can change the certificate formats, add and remove certificate passwords but that’ll be for another blog post. If you have it installed, to create a CSR th same as the above you’d need to open a command prompt and type in

openssl req -out techiedoodah.csr -new -newkey rsa:2048 -nodes -keyout techiedoodah.key

6; The OpenSSL program will prompt for input to the various fields until the CSR is complete.

Generating a certificate signing request from the command prompt with OpenSSL
Generating a certificate signing request with OpenSSL

In both of the above cases, generating the certificate request also provides a private key. The private key is important and needs to be installed on the same server as the certificate when the certificate is returned from the vendor.

7; You can determine if the CSR is valid by using an online CSR checker such as at SSLShopper https://www.sslshopper.com/csr-decoder.html

Checking the certificate signing request online at https://www.sslshopper.com/csr-decoder.html
Checking the CSR online

8; If OpenSSL is a bit complex, and you’re not happy with generating a CSR online, there is an app for Android called d/cert which can generate the CSR and private key for you.

The Dory - Cert application for Android
The Dory – Cert application for Android

9; Click on the red circle with the plus, and then choose to add a new private/public key pair.

Ading a new key pair using the d/Cert application for Android
D/Cert adding a new key pair

10; Add a name for the key pair and click or select ok. You can keep the default 2048 bits. Leave the passphrase blank, and then click ok.

Adding a name for the keypair in the d/cert application.
Adding a name for the keypair

11; Add the details and then click ok.

Adding the details for the key pair
Adding the details for the key pair

12; Finally, select “Create CSR” from the private key. The application will create the CSR and you can click the button to export the CSR.

You can export the private and public keys in a similar fashion and save them or email them to wherever they’ll be required.

Once the certificate is returned to you, you can install it by following the instructions from your hosting provider. Once it’s installed you should see a padlock in the browser bar whe you visit the site.

Testing your HTTPS site

13; Browse to the ssllabs website and click on “Test your server”.

Testing the HTTPS site from the ssllabs website
Testing your HTTPS site from the ssllabs website

14; Put in the site details on the next page and click the “Submit button”

Adding the web site details to the ssllabs server test page.
Adding the web site details to the ssllabs server test page.

15; Go and have a coffee. When you get back the scan should have completed and your results should be in.

Results from the sslsabs scan of the techiedoodah web site
ssllabs completed scan

To cut a long story short, the summary

SSL provides a protocol to encrypt digital traffic being sent across the Internet. If you have a web site you’ll want to take advantage of encryption and the identity verification that is provided by having an SSL certificate.

To get a certificate from a provider, it’s likely that you’ll need to generate a certificate signing request. The CSR can be generated online, by using an open-source program called OpenSSL or even by using apps available in the Google Play Store.

Once the CSR has been created you check it using online certificate decoders to make sure there are no problems with it and it will be accepted by the major vendors.

Once the certificate is installed you can run a test against the website using ssllabs testing tools to provide a scan report.

If you’re a network engineer and you could use an IPv4 subnet calculator check out the free techiedoodah IPv4 excel subnet calculator spreadsheet and if you get a lot of time hands on rackside and need a tray to put your laptop on, let us know what you think of the Portable Rack Mount Laptop Tray and sign up if you want one. Type with two hands instead of one, be more comfortable, improve your productivity and get out of the server room sooner, (or wherever the rack happens to be).

Techiedoodah blogs are created in the hope that they can help others by giving real-life examples. If this has been useful to you please feel free to leave a comment. If you’re reading this post on the home page, you won’t be able to post comments here, so follow this link to the blog, and then scroll to the comments section at the bottom of the page.

Comments below for the article “Creating a certificate signing request”.

Leave a Reply

Your email address will not be published. Required fields are marked *