Certificate request with OpenSSL
To request a client certificate with OpenSSL, you will have to use the same command than for a server certificate but with a different configuration file that allows to fill in optional fields that are mandatory for this kind of products.-
Generate the key with the following command:
openssl genrsa 2048 > yourkey.key
-
If you want this key to be protected by a password (that will be requested any time you'll restart Apache), add:
"-des3"
after "genrsa").
Make a backup copy of the .key file!
-
Protect your file with:
chmod 400 yourkey.key
-
Use this command to generate the CSR and indicate the CNF that you will have previously downloaded below:
openssl req -new -key yourkey.key -config CNF_FILE_BELOW > yourkey.csr
Download the OpenSSL configuration file (right click, Save as) matching the client certificate you want to generate:
- For aTBS X509 Sign & Login certificate: openssl-dem-signlogin.cnf
- For TBS X509 Email Professional certificate: openssl-dem-emailpro.cnf
- For a TBS X509 Email Novice certifocate: openssl-dem-emailnovice.cnf
Consult these tips to easily and quickly generate a CSR with OpenSSL 0.9.7 or higher:
Server certificate:
openssl req -new -nodes -newkey rsa:2048 -keyout newkey.key -subj '/CN=www.my.dom/C=FR/ST=Calvados/L=Caen/O=MY COMPANY/OU=IT Department' -out mycsr.csrClient certificate (with our configuration file):
openssl req -config openssl-dem-client-cert.cnf -nodes -newkey rsa:2048 -keyout mysuperkey.key -subj '/CN=LAST NAME first name/emailAddress=me@mycompany.com/O=MY COMPANY/L=Caen/ST=Calvados/C=FR' -out mysupercsr.csr
Useful links
Last edited on 05/10/2022 13:39:33 --- [search]