Steps for Generating Private Key and CRS from Certificate
Generating a private key and Certificate Signing Request (CSR) is an important first step in obtaining an SSL/TLS certificate for a website or application. A private key is used to digitally sign the CSR, proving ownership and control of the domain. The CSR contains information about the key and domain which is submitted to a Certificate Authority to obtain the final certificate.
This process can seem complex, but it is essential for enabling secure HTTPS connections. Generating a private key and CSR is straightforward with some basic knowledge of OpenSSL or other tools. This guide will walk through the steps for creating a private key and CSR on Linux, Windows, and Mac operating systems.
Key Takeaways
- A private key and CSR are required to obtain an SSL/TLS certificate from a Certificate Authority.
- The private key is used to digitally sign the CSR, proving ownership of the domain.
- OpenSSL is a common tool for generating keys and CSRs on Linux, Mac, and Windows.
- For security, the keys should be 2048 bSecurityarger. The CN field in the CSR must match the domain name.
- CSRs contain information about the key and domain that Certificate Authorities use to issue certificates.
- Keep the private key file secure, and don’t share it publicly. The CSR can be freely shared.
How to Generate a Private Key and CSR on Linux
Linux administrators will typically use the OpenSSL toolkit to generate private keys and CSRs. Here are step-by-step instructions for creating a 2,048-bit private key and CSR using OpenSSL commands:
Check that OpenSSL is Installed
Most Linux distributions come with OpenSSL pre-installed. To verify it is present, run:
$ openssl version
This will print the version of OpenSSL installed. For secure key generation, make sure it is 1.0.1 or higher. Older versions used weaker algorithms and key sizes.
If OpenSSL is not installed, use your package manager to install it. For example, on Ubuntu/Debian:
$ sudo apt install openssl
Or on CentOS/RHEL:
$ sudo yum install openssl
Generate the Private Key
The first step is to generate the private key that will sign the CSR. This key should be securely stored and not shared. Use OpenSSL’s genrsa command to generate a 2,048-bit RSA private key:
$ openssl genrsa -out private.key 2048
This will create a new file called private.key containing the PEM formatted private key. Make sure to backup and restrict access to this key.
For better security, consider generating a 4,096-bit key instead. Larger keys are more computationally intensive to crack:
$ openssl genrsa -out private.key 4096
Create the Certificate Signing Request (CSR)
With the private key created, we can generate the CSR. This contains information about the key, domain, organization, and more. Run the req command and fill out the prompts:
$ openssl req -new -key private.key -out csr.csr
- For the Common Name (CN), enter your fully qualified domain name (www.example.com). This MUST match the domain for which you want the certificate.
- Enter your Country Name (2 letter code), State/Province, Locality, Organization, etc. This information will be embedded in the certificate.
- When prompted for a challenge password or optional company name, press Enter to leave them blank.
After entering all the information, a CSR called csr.csr will be generated. This file can be opened and inspected or submitted to a CA.
Verify the CSR Contents
Always validate that the information in your CSR is correct before submitting it to a CA:
$ openssl req -in csr.csr -noout -text
This will print out the CSR in text format so you can confirm the domain name, company information, key size, and other details are correct. Make sure the Common Name matches what you want the cert for.
The CSR can now be submitted to a Certificate Authority like DigiCert, Comodo, GlobalSign, etc., to obtain the final certificate. Be sure to keep the private key file secret and store it safely.
Step-by-Step Guide for Generating a Private Key and CSR on Windows
Windows administrators have a couple of options for generating private keys and CSRs. Here are instructions using the native Certreq tool or OpenSSL with OpenSSL for Windows.
Using certreq
Certreq is the native certificate request tool built into Windows Server and some desktop versions. Here’s how to use it:
- Open the Certificate Authority management console by running certlm.msc.
- In the console tree, right-click on the Certificate Templates folder and choose Manage.
- Right-click on the Web Server template and choose Duplicate Template. Assign a name like “My Web Server” and hit OK.
- Under the General tab, set the Minimum Key Size to 2048 bits. Select Cryptography > Request Hash to SHA256 and Cryptography > Provider Category to Key Storage Provider.
- Under Extensions, for Application Policies, select Server Authentication and mark Client Authentication as not allowed.
- Under Security, add the users or groups who should have Enroll permissions. Hit OK to save the template.
- From Start, search for “run” and open it. Type “mmc” and hit Enter to open a new console.
- File > Add/Remove Snap-in. Add the Certificates and Certificate Authority snap-ins.
- In the console tree, expand the Certificate Authority > Certificate Templates folder.
- Right-click on the template you created and choose New > Certificate to Issue.
- On the General tab, give it a friendly name. On Subject, enter your FQDN in Common Name and fill out other fields.
- Click the Extensions tab and verify the Application Policies are set correctly. Hit OK.
- When prompted, choose to Save the CSR to a File. Name it something like mycsr.csr.
This CSR file can then be submitted to a public CA to request a certificate. Be sure to export and safely store the generated enrolled private key.
Using OpenSSL
OpenSSL can also be used to generate keys and CSRs on Windows. Download and install OpenSSL for Windows from this site: https://slproweb.com/products/Win32OpenSSL.html
From a command prompt, the steps are the same as on Linux:
- Generate a private key:
openssl genrsa -out private.key 2048
- Create the CSR, entering info when prompted:
openssl req -new -key private.key -out mycsr.CSR
- Verify the CSR contents:
openssl req -in mycsr.csr -noout -text
Follow the same process as the Linux instructions above. When customizing the key generation and CSR attributes, OpenSSL often provides more flexibility than Certreq.
Step-by-Step Guide for Generating a Private Key and CSR on Mac
Here are two options for generating a private key and CSR on macOS:
Using OpenSSL
- Install OpenSSL via Homebrew:
brew install openssl
- Generate a private key:
openssl genrsa -out private.key 2048
- Create the CSR, entering info when prompted:
openssl req -new -key private.key -out mycsr.CSR
- Verify the CSR contents:
openssl req -in mycsr.csr -noout -text
Using Keychain Access
The Keychain Access application that comes with macOS can also generate certificates:
- Open Keychain Access, located in Applications > Utilities.
- From the menu bar, select Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
- Enter your email and Common Name (domain name) and select Saved to disk.
- Choose a location to save the CSR. Make sure the file extension is .csr.
- It will prompt you to create a private key. Choose a 2048-bit RSA key and hit Continue.
Submitting your CSR to a Certificate Authority
Once you have generated the CSR using one of the above methods, you are ready to submit it to a Certificate Authority (CA). The CA will use the information in the CSR to validate you control the domain and issue a browser-trusted certificate.
There are two main types of CAs:
Public CAs
These are trusted CAs like DigiCert, Comodo, GlobalSign, etc. All major browsers and operating systems will automatically trust certificates issued by public CAs. However, public certificates typically cost money, although some CAs offer free basic certificates.
To obtain a certificate from a public CA:
- Generate your private key and CSR using the steps outlined earlier.
- Visit the CA website and follow the process for purchasing a certificate and uploading the CSR.
- Once issued, the CA will provide certificate files to download and install on your server.
- Install the certificate files along with your private key to complete the setup.
Private or Internal CAs
Organizations can choose to operate their own private CA and issue internal certificates. This allows them to avoid the costs of public CAs when securing communications for internal servers, VPNs, appliances, etc. However, certificates issued by a private CA will only be trusted within the organization.
To set up an internal CA:
- Install CA software like EJBCA or Microsoft Certification Authority.
- Generate root and intermediate CA certificates and keys.
- Issue certificates by validating CSRs and signing them with the CA key.
- Distribute the CA certificates to all clients to establish trust in the private CA.
Whether using a public or private CA, submitting your CSR is the crucial step that allows the CA to verify your domain ownership and issue the final certificate. Be sure to store the private key used to sign the CSR safely – this will be needed later when installing the issued certificate.
Installing Your SSL/TLS Certificate
Once the Certificate Authority validates your CSR and issues the certificate, you are ready to install it along with your private key. This will enable HTTPS and SSL/TLS encryption for your website or application.
The steps for installing certificates vary based on your web server and operating system. Here are some guidelines:
Apache on Linux
- Place your issued certificate file (e.g., domain.crt) in /etc/ssl/certs.
- Place your private key file (e.g., private.key) in /etc/ssl/private.
- Edit /etc/apache2/sites-enabled/default-ssl.conf and update SSLCertificateFile and SSLCertificateKeyFile with the paths to your files.
- Restart Apache with sudo systemctl restart apache2.
Nginx on Linux
- Place certificate and key files in /etc/nginx/ssl
- Edit /etc/nginx/nginx.conf and update ssl_certificate and ssl_certificate_key lines with your filenames.
- Reload Nginx with sudo systemctl reload nginx
IIS on Windows Server
- Open IIS Manager and go to Server Certificates.
- Click Import and select your certificate file.
- In the Bindings menu for your website, update the SSL certificate to the imported one.
macOS/OS X
- Double-click the certificate file to open Keychain Access.
- Select the certificate and expand the Trust section.
- Change When using this certificate: to Always Trust
- Expand the Access Control section and set it to allow your user account to access the key.
- Open the private key file to add it to Keychain Access.
- Enable SSL in your web server software and select the imported certificate.
Be sure to restart or reload your web server software after installing the certificate for the changes to take effect. Test that HTTPS and SSL/TLS are functioning correctly and you have a secure connection.
Final Thoughts
Obtaining an SSL/TLS certificate requires first generating a private key and Certificate Signing Request. This allows a Certificate Authority to validate the domain’s ownership and issue a trusted certificate. Private keys should be safely stored, while CSRs are designed to be openly shared with the CA.
There are many different tools and methods for generating CSRs, but OpenSSL is one of the most common. Most web servers and CAs have streamlined tools for creating and installing certificates. With the certificate installed and private key on your server, you can enable HTTPS and SSL/TLS encryption.
Frequently Asked Questions
What is the difference between a private key and CSR?
A private key digitally signs the CSR to prove domain ownership. The CSR contains public information about the key and domain that the CA uses to issue the certificate. The private key must be kept private while the CSR is designed to be shared publicly.
What key size should I use?
2048-bit is the recommended minimum sizeSecurity, but 4096-bit provides better protection against future attacks. Most CAs require at least a 2048-bit key.
How do I generate a CSR on Windows without Certreq?
You can use the OpenSSL for Windows build instead. Download, install, and use the OpenSSL req command to generate keys and CSRs, just like on Linux or Mac.
Should I use an internal or public CA?
Public CAs provide certificates that are automatically trusted by browsers and devices. However, internal CAs allow you to maintain control and avoid ongoing certificate costs. Internal CAs are typically used only for encrypting traffic within an organization.
What if there is a problem with my CSR?
If the CA can’t validate your CSR, they will contact you to fix any issues. Make sure the domain names match, and you provide accurate information. If needed, you can generate a new CSR and private key to submit.
How often do I need to renew the certificate?
SSL/TLS certificates typically need to be renewed every 1-2 years. The CA will notify you when renewal is required, at which point you can generate a new CSR to renew it.
Where can I get free certificates?
Some CAs, like Let’s Encrypt, offer basic domain-validated certificates for free. These have shorter lifespans but can be used for non-critical sites and testing.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
