Linux (CentOS 7) Generating CSR (Certificate Signing Requests)

KB ID 0001206 

Problem

If you want to use digital certificates on your CentOS server, then you will need to generate a CSR. It does not matter if you want to purchase a publicly signed certificate, or even if you are going to sign your own. Below is how to generate a CSR for a single web host.

Note: Most cert vendors now require a minimum key length of 2048 so thats what I’m going to use. And I’m assuming you have openSSL installed (type ‘openssl version‘ to find out). 

Solution

Execute the following command

[box]

[root@WebHost ~]# openssl req -newkey rsa:2048 -nodes -keyout www.YourSite.com.key -out www.YourSite.com.csr

[/box]

The CSR Generation process will begin and you will have to answer some questions;

[box]

Generating a 2048 bit RSA private key
.........................................+++
........................+++
writing new private key to 'www.YourSite.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:Teesside
Locality Name (eg, city) [Default City]:Middlesbrough
Organization Name (eg, company) [Default Company Ltd]:YourSite
Organizational Unit Name (eg, section) []:YourSite
Common Name (eg, your name or your server's hostname) []:www.YourSite.com
Email Address []:administrator@YourSite.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password123
An optional company name []:YourSite

[/box]

This will actually create the CSR, now you need to get the text from the CSR, and sent it to your certificate vendor ,or sign it with your own CA.

[box]

[root@WebHost ~]# cat www.YourSite.com.csr
-----BEGIN CERTIFICATE REQUEST-----
NIIDKTCCAhECAQAwga4xCzAJBgNVBAYTAkdCMREwDwYDVQQIDAhUZWVzc2lkZTEW
MBQGA1UEBwwNTWlkZGxlc2Jyb3VnaDEUMBIGA1UECgwLUGV0ZU5ldExpdmUxFDAS
BgNVBAsMC1BldGVOZXRMaXZlMRwwGgYDVQQDDBN3d3cucGV0ZW5ldGxpdmUuY29t
MSowKAYJKoZIhvcNAQkBFhtpbmZvcm1hdGlvbkBwZXRlbmV0bGl2ZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCudW2OhXUnEIpiN2oQnREoZVAn
Cvvb07+7gZb5NgxSSc8pYab3ic6mmEabM3c/m9mLtO3m4ZSTJrU9QC91Vn6PF90K
iqApOfizUnNFEOSJptpcoLxlUWUJF8PZUn9fYZyNhp30QQ3B5ajxc4ML0BB+4Wp2
1sjJzfAvtSsFmUSCEXlJTrWnYkGpZz4dYYRlQgTniY4++M/AG9gL99XuSKcSD5K0
4qr07J9a6AYA0tXJq+yN3EzcLSBkIVDuNv84e+CyXc8RV+BkaRTr/gYGwQU4C+IG
87Lw8GC6P1adUi2mR4GMMbZLPYa14Psao4ZA/Ihk9EFS2xqXQH2AZ2nUGPM7AgMB
AAGgNTAXBgkqhkiG9w0BCQcxCgwIcGFzc3dvcmQwGgYJKoZIhvcNAQkCMQ0MC1Bl
dGVOZXRMaXZlMA0GCSqGSIb3DQEBCwUAA4IBAQAPUo4AVBajrflZQRI8MrRyndpD
s6MqZQwYlrceZVZrut+htS14ZC/GbaPC7gOvxYyS52RSW4UiG3egi6H7NnhqHjR+
Dz859bLKIut3YeCo3sK5+aCxvcGEjA1uduqKg5WFwPj5BvnsIYezq3O5Q4FvfQAy
FElb9snk0sJ6GFYifjeza8+w6CIabUpyl0kyDoAbnjnnyhR0s5/h4L7X3zqaQ0J+
OZVRyj54nLXoFDw1n8pGRb31khlEwDzXvVe9+wreCZ6lLqhDki94Uq5LenqofUlw
MPucqVIA9lgvQ8vjyTWVQYYffMRlAx7g/SdVTIhFBqq7rsh9/XHn7qfXlc4c
-----END CERTIFICATE REQUEST-----
[root@WebHost ~]#

[/box]

Related Articles, References, Credits, or External Links

NA

IIS: How to Create a Certificate Request

KB ID 0000840 

Problem

If you would like to obtain a digital certificate either from your own CA, or from a public certificate vendor, you need to submit a certificate signing request (csr) first.

Solution

Note: I’m making the assumption you have already installed the Web Server (IIS) role on your server.

1. Windows Key+R > iis.msc {Enter} > Select the servername > Server Certificates.

2. Create Certificate Request > Fill in the details > Next.

Note: The Common name will be the name on the certificate, e.g. If this certificate is going to secure https://sitea.domain.com then the common name would be sitea.domain.com.

3. Note: For IIS generally 1024 bits will be fine, but I suggest you use a 2048 bit length > Next.

4. Select a location to save the request and give it a sensible name > Finish.

5. Here is your certificate request in PIM format, you can copy and paste this text into your certificate request.

6. Go Here to get a web server certificate.

Related Articles, References, Credits, or External Links

NA

Exchange 2010 – Working with Certificates

KB ID 0000453

Problem

Exchange 2010 installs with it’s own (self signed) certificate. To stay free of security errors and warnings, the best bet is to purchase a “publicly signed” digital certificate and use that.

The following process uses the Exchange Management console to create a CSR (Certificate Signing Request). Then what to do with the certificate, when it has been sent back to you.

Solution

Certificate Vendors

Buy Your Exchange Certificates Here!

 

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5500 – Using a Third Party Digital Certificate

(For Identification, AnyConnect, and SSL VPN)

KB ID 0000694

Problem

A client asked me how to do this, so off I went to the test bench to work it out.

Note: I’m this example In going to submit the request to, and issue the certificate from, my own windows domain certificate authority, you would send your request to a third party certificate authority, here’s a direct link to the certificate type you require. To use your own CA every client connecting to the ASA would need to trust this CA.

Solution

Certificates are date specific, so we need to make sure your firewall knows the correct date and time.

1. Connect to the ASA via ASDM > Configuration > Device Setup > System Time > Set the time and time zone correctly.

Note: As shown, from command line simply enter “show clock”.

2. Configuration > Device Management > Certificate Management > Identity Certificates > Add > New > Supply a key pair name > Generate Now.

Note: If using Digicert change the Key Size to 2048 or you will see this error, when you attempt to get your certificate.

Something is wrong
The CSR uses an unsupported key size, please generate a new CSR with a key size of at least 2048 bits
.

3. Select > Set each attribute, and add it one by one (as shown) > OK.

4. Advanced > Set the FQDN to the SAME name you entered for the CN in step 3 > OK > Add Certificate.

5. Choose a location to save the certificate request.

6. Locate and open the certificate request and it should look something like this.

Note: This is the information your certificate vendor will require.

7. Once your request had been processed the certification authority should send you a certificate. (Note: some vendors may send you a text file that you need to rename from filename.txt to filename.cer before it will look like this).

8. With the certificate open (as above) > Certificate path > Select the the Issuing Certificate Authority > Copy to File.

Note: You need to import the root certificates, and depending on the vendor, any intermediate certificates, I’ve shown an example from two major vendors to illustrate.

9. Select “Base-64 encoded…” > Next.

10. Save the cert somewhere you can find it.

11. Open it with notepad, and it should look like this > Select ALL the text.

12. Back at the ASDM > Configuration > Device Management > Certificate Management > CA Certificates > Add > Paste certificate in PEM format > Paste in the text > Install Certificate.

13. Repeat the process for any other RootCA or Intermediate Certificates. Then you will need to go back to step 8 and export the web certificate itself, (i.e. in this case select vpn.petenetlive.net and export that to file, and copy that from notepad to the clipboard).

14. Back in the ASDM this time you will need to install the Identity Certificate, (this is the one you paid for!) > Select the pending request from earlier > Install > Paste in the text > Install Certificate > Apply.

15. To enable the certificate on the outside interface > Configuration > Device Management > Advanced > SSL Settings > outside > Edit > Select the new one from the list > OK > Apply.

16. Note: If you were configuring your AnyConnect VPN’s later this is the point in the setup, where you would select the new certificate.

17. Make sure you can resolve the name that’s on the CN of your certificate and you can reach it from a client machine.

18. Now you should be able to connect without certificate warnings.

19. Don’t forget to save the settings on your ASA (File > Save Running Configuration to Flash).

Related Articles, References, Credits, or External Links

Securing Cisco SSL VPN’s with Certificates

Cisco ASA – Cannot Enable Third Party Certificate (9.4 and later)