This article describes the steps to take to generate your own certificate request for use in an online SSL certificate request.
Since the 1.3 branch, mbed TLS also includes the core and applications for generating keys and certificate requests without relying on other libraries and applications, offering users a command-line alternative to OpenSSL for generating their keys and certificate requests.
This article assumes you have compiled (and optionally installed) the mbed TLS library and example programs on your system.
Certificate Request for use with SSL vendors
Whenever you request a certificate from one of the SSL vendors, you are asked to enter a CSR. CSR is short for Certificate Signing Request and is often in the PEM format.
To generate a certificate request, you need a private-public keypair. The public key is put in the certificate request in addition to some identifying information (e.g. website domain, address, country). By submitting your request you ask the SSL vendor to sign that request with their CA key and generate a full certificate from it.
The CA will determine the validity of the certificate they generate based on how much you paid them.
Generating a RSA key file
The first step for generating a certificate request, is to generate a private/public keypair for the certificate.
For generating key files, mbed TLS includes the gen_key application (located in programs/pkey ).
This key generation application accepts the following arguments:
The following command generates a 2048 bit RSA key file for us:
Generating certificate request
For generating and writing certificate files, mbed TLS includes the cert_req application (located in programs/x509 ).
Before generating the certificate request we need to determine the different values that
need to go in it.
Key to use in the certificate
First and foremost a certificate binds a public-private keypair to an identity. To indicate which key to use in the certificate request we use the filename argument, like so filename=example.com.key .
Each certificate request needs a subject name (the identity that is being signed). Each CA vendor has different requirements for which items are required in a certificate request.
In case we want to request a certificate for the example.com domain name from the organization 'Example Ltd' in the country 'UK', we should use subject_name=CN=example.com,O=Example\ Ltd,C=UK on the command-line.
Note: If you want to use a space in one of the names you have to either escape it ( issuer_name=CN=my\ server ) or contain the entire argument in quotes ( "issuer_name=CN=my server" ).
Note 2: Comas inside names need to be escaped with a backslash too. You need to protect the backslash from you shell, eg issuer_name=CN=my\\\,server or issuer_name='CN=my\,server' .
The available items you can put in a subject_name (that we support) are:
- C = Country
- CN = Common Name
- L = Locality
- O = Organisation
- OU = Organisational Unit
- R = e-mail address
- ST = State
Command to generate a certificate request
So the full command for generating a certificate request for example.com.key with the name 'CN=example.com, O=Example Ltd, C=UK' would be:
And you are done!
The file example.com.req now contains your (PEM encoded) certificate request. It will look something like:
You can copy and paste that PEM content into the website for the certificate vendor in most cases.