For the management processes below, we will be using OpenSSL on a Linux/MacOS operating system. OpenSSL is available on Windows operating systems and generally has the same command structure. Typically, on Windows operating systems you will run the commands within the bin directory of the OpenSSL installation.
A certificate signing request is the first stage in creating a new certificate. It is here where you will generate the private key along with the parameters of the certificate details to be signed.
We recommend using a configuration file to reference within the CSR generation. These are saved as a .cnf file and follows the below structure.
[req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no
[req_distinguished_name] C = GB ST = Hertfordshire L = Kings Langley O = JGC IT Services OU = IT Arena CN = jgc-it.com emailAddress = [email protected]
[ req_ext ] subjectAltName = @alt_names
[ alt_names ] DNS.1 = www.jgc-it.com DNS.2 = jgc-it.com
Most of the fields should be self-explanatory based on the above example. Required extensions are only needed in the event of additional parameters like subject alternate names or SANs, shown here as alt_names. This will be used if opting for specific sub-domains and not choosing a wildcard certificate that protects the first sub-domain of *.mydomain.com.
We recommend creating a local directory where you will store items like configuration files for referencing in the process of creating your CSR. Save or move the configuration file to the newly created directory.
Open terminal and cd to the location of the created directory. Ensure you are in the correct location through using the ls command to view the contents of the directory. Your configuration file should be showing here.
JGC-01-Mac ~ % cd Documents/cert-renewals JGC-01-Mac cert-renewals % lsjgc-it.com.cnf
Next, enter the following command.
openssl req -out [name].csr -newkey rsa:2048 -nodes -keyout [name].key -config [filename].cnf
The command with our example would look like this.
openssl req -out jgc-it.com.csr -newkey rsa:2048 -nodes -keyout jgc-it.com.key -config jgc-it.com.cnf
This process will create two things. It will create your CSR and a private key, named as you have specified.
IMPORTANT Do not share the private key outside of your secure environment. This will be referenced later once we have the signed certificate to create a PFX file.
The next part of the certificate process depends on where you are using your certificate. For any external facing services, you are going to need to get your certificate signed through an external certificate authority i.e. DigiCert, Geo Trust, Comodo & RapidSSL.
The type of certificate you require at this point is also important. There are a few options here around validation types.
Domain Validation (DV): Proof of domain ownership is achieved through updating DNS.
Organisational Validation (OV): Proof of domain ownership is achieved through email validation to specific addresses, [email protected] [email protected] etc.
Extended Validation (EV): On top of the OV validation steps, you will need to accept a phone call to the number on a public record against your business, e.g. the main business phone number on Google. On the brief call you will confirm the order is genuine before confirming the purchase.
Once you have chosen the certificate type, you can go through many resellers or direct to one of the mentioned certificate authorities. The CSR will be provided to the certificate authority, and this will be used to generate the signed certificate.
If you are using this certificate internally, you can potentially use a Windows Server deployment with certification authority installed to sign the certificate. We will not go into detail here on this, as there are many Microsoft guides online for this part of the process. Feel free to reach out to us if you would like any guidance on this part.
You will now have nearly all the components for installing your certificate. The only part not discussed would be the certificate chain, which would be provided by the certificate authority. The intermediate certificate should be provided along with your certificate.
TOP TIP here is to create a text file with both the newly provided certificate and the intermediate certificate, saved as a crt file. Ensure that both certificates in PEM format are pasted into the document without spaces, with the certificate first followed by the intermediate certificate. Example below.
—–BEGIN CERTIFICATE—– enter text from provided certificate —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– enter text from provided certificate —–END CERTIFICATE—–
The reason for this is that it is much easier to reference for creating a PFX file.
Open terminal and cd to the location of the created directory. In here you should already be able to view the previously created private key. Make sure you save your certificate chain crt file in the same location.
JGC-01-Mac ~ % cd Documents/cert-renewals JGC-01-Mac cert-renewals % lsjgc-it.com.cnfjgc-it.com.keyjgc-it.com.csrjgc-it.com-chain.crt
openssl pkcs12 -export -out <filename>.pfx -inkey <filename>.key -in <cert-chain>.crt
openssl pkcs12 -export -out jgc-it.com.pfx -inkey jgc-it.com.key -in jgc-it.com-chain.crt
Once entered you will be prompted for an export password, which will be entered twice.
IMPORTANT Do not lose this as you will otherwise be unable to import your pfx file. Not the end of the world as you can delete the existing pfx file and follow the process above again
To check the pfx file you can run the following command:
openssl pkcs12 -info -in [pfx].pfx
openssl pkcs12 -info -in jgc-it.com.pfx
You will be prompted to enter the import password and the contents of the pfx file will be displayed.
This now completes the process. You have a pfx file that can be installed on multiple devices, nice and easily via following device specific guides.
TOP TIP Remember that any device connecting to your newly created certificate will need to have the root certificate of your chain installed. These certificates are regularly installed as part of software updates, but if you are working in a closed, secure environment, ensure you install the root certificate on the source device.
If you want any assistance on this process, please do reach out to us at [email protected] and we will be happy to help.
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Post Comment
