Use OpenSSL to Verify the Contents of a CSR Before Submitting For a SSL Certificate
When purchasing SSL certificates for your website online you will be required to generate a SSL CSR, or Certificate Signing Request, to obtain a SSL CRT, or Certificate. In the process of generating your CSR you will be required to provide numerous pieces of information including Country, State, City, Company, Department, server common name, contact email address, and a challenge password. The most important field being the server common name as this is the domain that will securely serve web pages over HTTPS to make sure data is encrypted in each direction and because of this is secure.
On numerous occasions I have accidentally fat fingered the domain or not included www. when it was required, etc. It is possible to resolve some of these issues by reissuing the certificate however it can really be a pain so it is a much better policy to double and triple check the contents of the CSR before submitting to the SSL certificate provider. Use the information below to generate the CSR using openssl on a server running Apache with modssl and then use openssl to spit back the contents of the CSR you generated to verify the contents are correct.
Generate Key With OpenSSL:
- openssl genrsa -out test.key 1024
Output From Generating a SSL Key with OpenSSL:
- Generating RSA private key, 1024 bit long modulus
- e is 65537 (0x10001)
Generate CSR Using OpenSSL Via The Above SSL Key:
- openssl req -new -key test.key -out test.com.csr
Questions Answered While Generating a CSR With OpenSSL:
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- Country Name (2 letter code) [GB]:US
- State or Province Name (full name) [Berkshire]:Kentucky
- Locality Name (eg, city) [Newbury]:Louisville
- Organization Name (eg, company) [My Company Ltd]:QuestionDefense
- Organizational Unit Name (eg, section) :IS
- Common Name (eg, your name or your server's hostname) :www.test.com
- Email Address :email@example.com
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password :
- An optional company name :
The contents of the test.com.csr file is what will be submitted to obtain a SSL Certificate (.crt) file which will provide secure communications between your web site and customers computers. Before submitting the file and going through the confirmation process for the CRT file use the command below to verify the contents of the CSR file.
Command to Verify Certificate Signing Request (.CSR) Contents:
- openssl req -noout -text -in test.com.csr
Output of The Above Command Verifying the CSR Contents:
- Certificate Request:
- Version: 0 (0x0)
- Subject: C=US, ST=Kentucky, L=Louisville, O=QuestionDefense, OU=IS, CN=www.test.com/emailAddressfirstname.lastname@example.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (1024 bit)
- Modulus (1024 bit):
- Exponent: 65537 (0x10001)
- Signature Algorithm: sha1WithRSAEncryption
Notice the fourth line includes the data you need verify before submitting for a SSL certificate. The most important bit of information is the CN or common name which in the example above is www.test.com. Spending the little bit of time to verify this information can save you a lot of trouble trying to resolve any problems later.