Reset Search
 

 

Article

KB45020 - How to create a 2048 Bit CSR/DER/PFX/ Certificate Chain from OpenSSL

« Go Back

Information

 
Last Modified Date4/1/2022 3:08 PM
Synopsis
This article describes how to do the following:
1. Create a 2048 Bit CA Server
2. Create a 2048 Bit CSR
3. Create a DER 2048 Certificate for SBR Server
4. Convert the Server CA and SBR Cert to PFX
5. Create a Client CSR
6. Create a CRT from CSR
7. Create a PFX from Client CRT and Server CA
Problem or Goal
This article describes how to create a 2048 Bit CSR/DER/PFX Certificate Chain using OpenSSL
Cause
Solution
Process for Windows:
For Windows download the package from http://slproweb.com/products/Win32OpenSSL.html

Next install and add the C:\(Installed Directory) directory in the %PATH%.
C:\>cd (Installed Directory)
C:\(Installed Directory)>md certs
C:\(Installed Directory)>cd certs
C:\(Installed Directory)\certs>md democa
C:\(Installed Directory)\certs>md democa\newcerts
C:\(Installed Directory)\certs>edit democa\index.txt
C:\(Installed Directory)\certs>edit democa\serial

Follow the instructions to place 01 in the serial file, save and exit.

1. Create a 2048 Bit CA Server.
Raise the following as CA Server:

C:\OPENSS~1\certs>openssl genrsa -out ca.key 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..................................................................+++
...............................................+++
e is 65537 (0x10001)

Next Use the above Key to create a Server CA:

C:\OPENSS~1\certs>openssl req -new -x509 -days 1000 -key ca.key -out DemoCA/CACert.pem

Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ivanti
Organizational Unit Name (eg, section) []:PPS PCS TEAM
Common Name (e.g. server FQDN or YOUR name) []:PPS PCS Team LAB
Email Address []:admin@juniper.net

Copy the CACert.pem to CACert.der for PPS/PCS.

2. Creating a PPS/PCS 2048 Bit CSR as follows:
C:\OPENSS~1\certs>openssl req -new -newkey rsa:2048 -nodes -out Client_PPS_server.csr -keyout Client_PPS_Server.key –subj "/C=IN/ST=TN/L=Bangalore/O=Ivanti/OU=PPS PCS TEAM/CN=PPS PCS Team LAB"
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
...............................................................................+++
..............+++
writing new private key to 'Client_PPS_Server.key'

3. Creating a DER Certificate for the PPS/PCS Server as follows:

C:\OPENSS~1\certs>openssl ca -in Client_PPS_server.csr -out Client_PPS_server.der -keyfile ca.key
Using configuration from C:\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 24 19:49:42 2013 GMT
Not After : Dec 24 19:49:42 2014 GMT
Subject:
countryName = IN
stateOrProvinceName = TN
organizationName = ClientCompany
organizationalUnitName = ClientUnit
commonName = ClientPPSServer
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B2:E9:90:2F:29:19:5B:2B:81:5D:5D:C0:06:4D:89:52:56:A1:8D:DA
X509v3 Authority Key Identifier:
keyid:05:1C:C3:21:03:96:24:B7:4A:CC:48:08:2D:58:DF:8D:F9:D9:15:B8

Certificate is to be certified until Dec 24 19:49:42 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

4. Converting a PEM certificate file and a private key to PKCS#12 (.pfx .p12) for PPS Server.
C:\OPENSS~1\certs>openssl pkcs12 -export -out PPSCertPFX.pfx -inkey Client_PPS_Server.key -in Client_PPS_server.der -certfile democa\CACert.pem
Loading 'screen' into random state - done
Enter Export Password:1234567 (You will not be able to find these numbers while typing)
Verifying - Enter Export Password:1234567 (Please also note it will not work if it is more than seven character in length as tested in LAB)

How to Create a 2048 Certificate for ClientPC Signed by Open SSL CA.

5. Create a Client CSR for Client:
C:\OpenSSL-Win32\Certs>openssl req -new -newkey rsa:2048 -nodes -out ClientPC.csr -keyout ClientPC.key -subj "/C=IN/ST=TN/L=Chennai/O=ClientCompany/OU=ClientUnit/CN=ClientPC"

Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
.............+++
...........+++
writing new private key to 'ClientPC.key'
-----

6. Create a CRT from CSR
C:\OpenSSL-Win32\Certs>openssl ca -in ClientPC.csr -out ClientPC.crt -keyfile ca.key
Using configuration from C:\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Dec 24 21:12:38 2013 GMT
Not After : Dec 24 21:12:38 2014 GMT
Subject:
countryName = IN
stateOrProvinceName = TN
organizationName = ClientCompany
organizationalUnitName = ClientUnit
commonName = ClientPC
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D8:14:2C:20:6E:A7:14:47:0A:1B:C5:08:83:33:AF:F7:3F:2E:D2:CA
X509v3 Authority Key Identifier:
keyid:98:5B:9F:5E:DE:20:41:9E:D1:EE:B4:5A:E6:F2:E8:E5:15:B2:83:28

Certificate is to be certified until Dec 24 21:12:38 2014 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entry.
Data Base Updated

7. Create a PFX from CRT and Private Key along with Cert CA:
C:\OpenSSL-Win32\Certs>openssl pkcs12 -export -out ClientCertPFX.pfx -inkey ClientPC.key -in ClientPC.crt -certfile democa\CACert.pem
Loading 'screen' into random state - done
Enter Export Password: 12345
Verifying - Enter Export Password: 12345
Related Links
Attachment 1 
Created ByChetan JayprakashSoni

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255