TLS Security Certificates: How to generate a CSR

A Certificate Signing Requests (CSR) is required by ITS Security Operations to get or renew an TSL certificate. There are numerous ways to create the CSR:

For Linux, the openssl utilities can be used.

For Windows, simple requests can be created within IIS Manager.

The example used in this document required SANs (Subject Alternative Names). This is one of the more advanced features that are not supported in the IIS Manager utility.

Windows IIS 7.x Manager

https://sectigo.com/resource-library/generate-csr-microsoft-iis-7-x

Apache Mod_SSL/OpenSSL

https://sectigo.com/resource-library/how-to-generate-certificate-signing-request-on-apache-mod-ssl-openssl

To generate a private key and public Certificate Signing Request (CSR) for a web server use the following command :

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

This creates two files. The file myserver.key contains a private key; do not disclose this file to anyone. Carefully protect the private key.

In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).

You will now be asked to enter details to be entered into your CSR.

What you are about to enter is what is called a Distinguished Name or a DN.

For some fields, there will be a default value, if you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Kentucky
Locality Name (eg, city): Louisville
Organization Name (eg, company) [Internet Widgits Pty Ltd]: University of Louisville
Organizational Unit Name (eg, section) []: Information Technology Services - Security Operations
Common Name (eg, YOUR name) []: abc.louisville.edu or subdomain: xyz.abc.louisville.edu a fully qualified domain name should go here.
Email Address []: can be left blank.


A challenge password []:
An optional company name []:

The fields email address, optional company name and challenge password can be left blank for a web server certificate.

Your CSR will now have been created. Open the server.csr in a text editor and copy and paste the contents into this free Sectigo tool https://secure.sectigo.com/utilities/decodeCSR.html On this tool, make sure that the following choices are checked:

Show Key Size

Show SANs DNS Names

Show CSR Signature Algorithm

Tips:

  1. Make sure to type out louisville.edu slowly and to proofread before sending it.
  2. You don't have to put information for the street address and postal code. See https://sectigo.com/resource-library/sectigo-to-remove-street-address-and-postal-code-from-certificates
  3. When saving the CSR, you can do so as .txt, .csr file extensions. When we open the file, we should be able to see the --------BEGINING MESSAGE and ---------ENDING MESSAGE.
  4. The key type must be RSA.
  5. The hashing algorithm must be sha256.
  6. When sending to us, let us know who the contact personnel will be for renewals and general information.
  7. There will be 90, 60, 30, 15, and 7 day certificate expiration notification emails to remind you about renewals.