Generating a Certificate Signing Request (CSR) in Ubuntu

Create your own encryption certificates

To generate the Certificate Signing Request (CSR) in Ubuntu, you should create your own key. You can run the following command from a terminal prompt to create the key:

openssl genrsa -des3 -out server.key 1024

You can now enter your passphrase. For best security, it should contain at least eight characters. The minimum length when specifying -des3 is four characters. It should include numbers, punctuation, and not be a word in a dictionary. Also, the passphrase is case-sensitive.

Ubuntu computer for article on typing Spanish
Uka0310 / Creative Commons

Re-type the passphrase to verify. Once you have re-typed it correctly, the server key is generated and stored in the server.key file.    

You can also run your secure web server without a passphrase. This is convenient because you won't need to enter the passphrase every time you start your secure web server. However, it is highly insecure, and a compromise of the key means a compromise of the server.

In any case, you can choose to run your secure web server without a passphrase by leaving out the -des3 switch in the generation phase or by issuing the following command at a terminal prompt:

openssl rsa -in server.key -out server.key.insecure

Once you run the above command, the insecure key is stored in the server.key.insecure file. You can use this file to generate the CSR without a passphrase.

To create the CSR, run the following command at a terminal prompt:

openssl req -new -key server.key -out server.csr

It will prompt you to enter the passphrase. If you enter the correct passphrase, it will prompt you to enter Company Name, Site Name, Email Id, and other information. Once you enter these details, your CSR is created and is stored on the server.csr file. You can submit this CSR file to a CA for processing. The CA uses this CSR file and issues the certificate. On the other hand, you can create a self-signed certificate using this CSR.