OpenSSL for CSRs

In the age of Cloud-anything, there’s a managed service for everything. And that includes all aspects of PKI (public key infrastructure). PKI ensure that people get the lock icon (indicating a secure connection) when visiting your site. If the hosted site is completely within a single Cloud environment or some other PaaS you can take advantage of such managed services. But in IT/Software consulting there will probably be some divide in the governance of PKI material, and you may be required to submit a CSR, Certificate Signing Request. Here are my notes and openSSL commands with how I’ve managed this in a few projects recently.

Warning: I’ve tried to keep things generalized, but guaranteed there will be differences in the specifics of your situation.

But before I begin, let’s make sure this page is for you. Here’s our User Story:

As an extremely diligent and cybersecurity minded infrastructure engineer/ninja, I want to submit a Certificate Signing Request (CSR) to my client (who owns the domain big-client.com), so that the client can return a certificate to me with which I can configure my AWS ELB (or other TLS termination) to offer secure https on the software I have been contracted to build and host for said client.

an Extremely Diligent and Cybersecurity Minded Infrastructure Engineer/Ninja

First, let’s start with all the files we’ll handle…

template.cnf     // template for the input into openSSL
big-client.cnf   // same file as above, but completed

# output files
big-client.key
big-client.csr   // <--provide this to domain owner / client

# Certificates returned from domain owner
# (roughly named here: root, intermediate, 'leaf')
trustedRoot.crt
intermediate.crt
big-client_ai.crt

First, we use template.cnf to create big-client.cnf. The info below will need to exactly match what your client requires for their PKI processes. The commonName is the most important part, it’s what domain you are going to protect. If your client supports Subject Alternate Names (SAN). You can add them as separate lines in the ‘alt_names’ section.

$ cat template.cnf

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
default_md         = sha256
prompt             = no
[ req_distinguished_name ]
countryName           = US
stateOrProvinceName   = 
localityName          = 
organizationName      = 
commonName            = 
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = 
DNS.2   =
DNS.3   =

$ cat big-client.cnf

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
default_md         = sha256
prompt             = no
[ req_distinguished_name ]
countryName           = US
stateOrProvinceName   = Massachusetts
localityName          = Amherst
organizationName      = Big Client Inc.
commonName            = big-client.ai
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = api.big-client.ai
DNS.2   =
DNS.3   =

Great, from this big-client.cnf let’s build the CSR!

$ openssl req -new -newkey rsa:4096 -config big-client.cnf -reqexts req_ext -keyout big-client.key -out big-client.csr

# (we're creating a 'newkey' here, but with openSSL you can specify an existing key)

# part-way through this invocation, you'll be asked for a passphrase, you could leave this blank.  If you enter a non-empty passphrase, you need to remember it!

# outputs...
big-client.key
big-client.csr

It’s a busy Monday, your fingers are flying on the CLI and you’ve lost track of all these CSRs for multiple clients. Here’s a command to inspect the content of a CSR:

$ openssl req -text -noout -verify -in big-client.csr

Provide the big-client.csr to the client. (You should not provide the big-client.key.) The cybersecurity ninjas at your Big Client should then perform some black-box awesomeness to turn this .csr into a certificate, and return to you a root, intermediate, and ‘leaf’ certificate (to form the chain of trust). Before you configure these certificates (and big-client.key) into your infrastructure, check the ‘leaf’ certificate that it matches the commonName and alt_names:

$ openssl x509 -in big-client-leaf.crt -text -noout

OpenSSL is a very very deep space. Just a reminder, this is a very narrow example of commands. Be sure to dig deeper into your use-case, requirements, and then any other needed flags of the openSSL tool to make sure you offer secure web services to your own and clients’ customers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s