OpenSSL: Create a private key and a Certificate Signing Request (CSR)

A private key is the secret which is used to prove that a server truly is the owner of its certificate. The private key and the certificate (which contains the corresponding public key) is basis for the Public Key Infrastructure (PKI).

A Certificate Signing Request (CSR) is a request from a private key owner for a certificate. The CSR is signed by a Certificate Authority to create a certificate.

Follow these steps to create a CSR using the openssl tool, which is located in <ifs_home>\openssl\bin folder.

  1. Create a private key:
    openssl genrsa -des3 -out filename.key 1024
    Select some password for protecting the key. The password protection may be removed for simplicity. You may experience Key generation problem on some UNIX systems.
  2. (Optional) Remove password from key:
    openssl rsa -in filename.key -out filename2.key
  3. Create a certificate signing request (CSR) using the new key:
    openssl req -new -key filename2.key -out filename.csr -config opensslconf.txt
    A small configuration file (opensslconf.txt) is required (refer to OpenSSL req(1) manual).
    For testing purposes the following configuration may be used:
     [ req ]
 default_bits           = 1024
 default_keyfile        = keyfile.pem
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
 output_password        = mypass

 [ req_distinguished_name ]
 C                      = GB
 ST                     = Test State or Province
 L                      = Test Locality
 O                      = Organization Name
 OU                     = Organizational Unit Name
 CN                     = Common Name
 emailAddress           = test@email.address

 [ req_attributes ]
    A CSR for a Server (site), e.g. https://www.example.com must replace Common Name with the server's hostname (www.example.com). A CSR for a Client or a Certificate Authority should replace Common Name with the name commonly used to refer to the system, for example Example.com HTTPS Connector or Example.com Intranet CA.

Key generation problem on some UNIX systems

OpenSSL on UNIX assumes the existence of entropy (randomness) gathering devices or daemons to operate nominally. These special files are usually known as /etc/entrophy, /dev/urandom or /dev/random. Unfortunately these files are not always installed or working properly, which may cause problems such as: 

ksh$ openssl genrsa -des3 -out filename.key 1024
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
15801:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:503:
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
15801:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:

To overcome this problem, create a $HOME/.rnd with cat: 

ksh$ cat > $HOME/.rnd

Enter data by randomly pressing a lot of keys, then press ctrl-d to save $HOME/.rnd. Finally,

ksh$ RANDFILE=$HOME/.rnd openssl genrsa -des3 -out filename.key 1024

will create key successfully.