All Collections
On-premises installation
Creating Certificate Signing Request (CRS)
Creating Certificate Signing Request (CRS)
Ievgen Iosifov avatar
Written by Ievgen Iosifov
Updated over a week ago

ET- Creating Certificate Signing Request (CRS)

Configuration

Use an internal company Certificate authority or a commercial CA Certificate Authority, such as Thawte or Verisign, to sign the SSL certificates. Using these, or importing the self-signed certificate to trusted client stores, avoids browser warnings regarding ‘untrustworthy’ self-signed certificates.

The following steps cover configuring secure web access (HTTPS) using commercially signed and self-signed SSL certificates.

Create a Private Key and Certificate

To proceed with the configuration, log in to the CLI of the server, for example, using an SSH Client.Log in as admin. Enter su - to log in as the root user and enter the password.

Use the OpenSSL utility to generate the RSA private key and, for security reasons, adjust the permissions:

mkdir -p /opt/enderturing/certificates/public openssl genrsa -out /opt/enderturing/certificates/public/localhost.key 4096 chmod 400 /opt/enderturing/certificates/public/localhost.key

Next, either create a self-signed certificate or obtain a commercially signed certificate. Both require the addition of Subject Alternative names.

Adding Subject Alternative Names in SSL/HTTPS Certificates

Internet browsers like Google Chrome no longer trust a certificate without a Subject Alternative Name. The Subject Alternative Name can, and usually will, be the same as the CN and must be present. Rather than simply creating a new certificate off a key, it is recommended that an SSL config file be created and the CSR (Certificate Signing Request) generated from the config file. You still create the CSR for self-signed certificates and then create a self-signed certificate from the CSR. To start, paste the following contents into a new file called /opt/enderturing/certificates/public/ssl.conf (or choose an alternative name):

[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = State L = SomeCity O = MyCompany OU = MyDivision CN = www.company.com [v3_req] keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.company.com DNS.2 = alias.company.com IP.1 = 1.2.3.4

Edit sections [req_distinguished_name] and [alt_names] and fill in valid information for your specific deployment.

It is possible to add or remove fields from the alt_names section as required by your deployment as well (add or remove DNS names or add/remove IP fields)

Creating Certificate Signing Request

After you create the conf file, you will generate the CSR as described on this page, simply with the -config argument added, pointing towards the conf file. See the example below:

openssl req -nodes -new -sha256 -key /opt/enderturing/certificates/public/localhost.key -config /opt/enderturing/certificates/public/ssl.conf > /opt/enderturing/certificates/public/cert.csr

Obtain a Commercially Signed Certificate

  1. Send the certificate signing request file cert.csr to the CA.

  2. After receiving the signed certificate, save it as localhost.crt on the server in the exact location of the private key.

  3. Copy the key and certificate into place and change the file ownership using the following command:

    # change PERMISSIONS because userns-remap used for docker DOCKER_USER_SUBUID="$(grep dockremap /etc/subuid | cut -d':' -f2)" # get subuid of userns-remap user DOCKER_USER_SUBGID="$(grep dockremap /etc/subgid | cut -d':' -f2)" # get subgid of userns-remap user USER_ID=${USER_ID:=911} # TODO remove hardcoded 911. If variable not set or null, set it to default. USER_SUBUID=$((DOCKER_USER_SUBUID + USER_ID)) chown "${USER_SUBUID}:${DOCKER_USER_SUBGID}" /opt/enderturing/certificates/public/localhost.* chmod 400 /opt/enderturing/certificates/public/*.key

  4. You may need to take a look at the Adding Subject Alternative Names section.

Useful commands

Sometimes, it may be necessary to convert the certificates from one format to another.

Typically, the commercially-signed certificate comes in a binary DER encoded form, which needs to be converted into the ASCII PEM format.

For further information and conversion examples, see the OpenSSL documentation: http://www.openssl.org/docs/apps/x509.html and the SSL Shopper site: https://www.sslshopper.com/ssl-converter.html.

How to convert a DER encoded certificate into PEM certificate

openssl x509 -inform der -in original_file.cer -out localhost.crt

convert a PEM encoded .cer file into PEM .crt certificate

openssl x509 -inform pem -in original_file.cer -out localhost.crt

How to extract private key and X.509 certificate from a PKCS#12 archive

Note - the archive file can have either a .p12 or .pfx extension. In both cases, it should be the same file type.

Extract certificate:

openssl pkcs12 -in original_file.pfx -nokeys -out localhost.crt

Extract key:

openssl pkcs12 -in original_file.pfx -nocerts -out localhost.key -nodes

How to display the contents of a CSR

openssl req -text -noout -verify -in original_file.csr

Did this answer your question?