Certificate request with OpenSSL

To request a client certificate with OpenSSL, simply use the same command as for a server certificate, but with a different configuration file, which allows the entry of optional and mandatory fields corresponding to these products.

• Generate the key with the following command:
  

  openssl genrsa 2048 > yourkey.key

• If you want this key to be protected by a password (that will be requested any time you'll restart Apache), add:
  
  

  "-des3"

  after "genrsa").

Make a backup copy of the .key file!

• Protect your file with:
  

  chmod 400 yourkey.key

• Use this command to generate the CSR and indicate the CNF that you will have previously downloaded below:
  

  openssl req -new -key yourkey.key -config CNF_FILE_BELOW > yourkey.csr

Configuration files

Download the OpenSSL configuration file (right click, save as) suitable for the client certificate you want to generate:

For DigiCert Email Novice, Sectigo S/MIME MV and TBS X509 S/MIME MV certificates:

• openssl-dem-emailnovice.cnf

For Sectigo S/MIME OV and TBS X509 S/MIME OV certificates:

• openssl-dem-email-sectigo-ov.cnf

For DigiCert Authentication certificate:

• openssl-dem-email-digicert-auth.cnf

For DigiCert Email Encryption, Signature and Premium certificates:

• openssl-dem-emailcn.cnf

Generate a CSR

To easily and quickly generate a CSR with OpenSSL 0.9.7 or higher, see these tips:

Server certificate:

openssl req -new -nodes -newkey rsa:2048 -keyout newkey.key -subj '/CN=www.my.dom/C=FR/ST=Calvados/L=Caen/O=MY COMPANY/OU=IT Department' -out mycsr.csr

openssl req -config openssl-dem-client-cert.cnf -nodes -newkey rsa:2048 -keyout mysuperkey.key -subj '/CN=LAST NAME first name/emailAddress=me@mycompany.com/O=MY COMPANY/L=Caen/ST=Calvados/C=FR' -out mysupercsr.csr

Useful links

• Install OpenSSL on Windows
• Create a pkcs12 (.pfx or .p12) from OpenSSL files (.pem , .cer, .crt, ...)
• Generate your CSR for your user certificate from any browser with KEYBOT