Versions Compared

Version Old Version 20 New Version Current
Changes made by

Marvin Nachatelo

Edward Ned Harvey

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Generating a Certificate Signing Request using OpenSSL

Info

CSR generation for IIS7
Third Party Instructions for Generating a CSR here

Info

Please note that InCommon is requiring that all CSRs be generated with a minimum of 2048 bits. If openssl is not configured to generate 2048 bit certificates by default, you will need to tell it to do so from the openssl command line with -newkey rsa:2048

...

No Format
>>ssh splunk.uit.tufts.edu
>>cd /home/InCommonCerts
>>sudo mkdir "certificate-name-MONTH-DAY-YEAR"
 
I.e. mkdir wildcard.hirshlibrary.tufts.edu-July-15-2015

...

Run the following command:

No Format
/usr/bin/openssl req -new -newkey rsa:2048 -nodes  -sha256 -keyout private.key -out public.csr

...

From here OpenSSL will ask you a series of questions that you will need to answer. Make sure that this information is correct for the Organization that will be reflected by the certificate. Make sure that you type in the full state, not the abbreviation. Also make sure that your Organization Name is set to Tufts University. Example:

No Format
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Massachusetts
Locality Name (eg, city) []:Medford
Organization Name (eg, company) [Internet Widgets Pty Ltd]:Tufts University
Organizational Unit Name (eg, section) []:Tufts Technology Services
Common Name (eg, YOUR name) []:infoboard.tufts.edu
Email Address []:ess@tufts.edu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Additional Note:  If you are generating a wildcard certificate, use   "  *  "  in the common name.  I.e. *.infoboard.tufts.edu

The most common error people make is with the "common name". The common name is the name of the machine or service that needs the certificate. In the example above, people will go to the website http://infoboard.tufts.edu, so the certificate needs to be named infoboard.tufts.edu, even though the actual server name is jasper.usg.tufts.edu.
You will notice that in the example, a Private key named private.key and a public key (CSR) named public.csr was created. Your Private Key is not Encrypted!!

...

Make the file only readable by the administrative account (for Unix machines):

No Format
chmod 400 private.key

...

(optional) To encrypt your private key, run the following command. If you're not sure whether to encrypt your private key, email ess@tufts.edu:

No Format
/usr/bin/openssl rsa -in private.key -des3 -out secureprivate.key

...

You can dump the information in the CSR back into text form by running the following command:

No Format
/usr/bin/openssl req -text -noout -in public.csr

...

Troubleshooting Errors with Certificate Requests

  1. If the certificate doesn't seem to be in PEM format, run

    No Format
    /usr/bin/openssl x509 -in certificate.crt -noout -text

  2. If that generates an error (using certificate.crt as the certificate file), then run:

    No Format
    /usr/local/openssl/bin/openssl pkcs7 -inform PEM -in certificate.crt -print_certs -out new-certificate.crt
  3. Then you can run the first command on new-certificate.crt, and confirm it worked.

Verifying a Certificate

Once you receive the certificate, you can verify that the information in the cert is correct by running the following command from any machine with openssl installed:

No Format
openssl x509 -noout -text -in <certificate file name>

To check the entire cert chain of a remote server:

No Format
openssl s_client -connect hostname:port -showcerts

 

 

Verifying a public key matches its cert

I had an issue where the upload crt/key file to the LB didn't match.  The LB indicated a profile mismatch.

Before I engaged NOC, I ran the two commands below on the files located on splunk to confirm they matched.  With this information I could engage NOC and request them to double check what was loaded as the files on splunk are correct.

 

No Format
[root@splunk-prod-02 wildcard.library.tufts.edu-August-23-2019]# openssl x509 -noout -modulus -in wildcard.library.tufts.edu.crt |openssl md5(stdin)= 9d26a9799c73eedf15819fa19763a73b


[root@splunk-prod-02 wildcard.library.tufts.edu-August-23-2019]# openssl rsa -noout -modulus -in wildcard.library.tufts.edu.key |openssl md5(stdin)= 9d26a9799c73eedf15819fa19763a73b

 

Test your cert after Installing onto the site

 

No Format
To test the cert applied to a site, browse here and enter the site name : https://www.ssllabs.com/ssltest

Verifying a public key matches its cert

...

 

...

This content has been moved to /wiki/spaces/EnterpriseSystems/pages/89464050