This guide will show you how to generate certificate signing request (CSR) file in Linux system.
The CSR file generated will be sent and signed by the CA server.
Subject Alternative Name (SAN) is required by chromium-based browers such as Chrome or Microsoft Edge.
Without SAN, chromium-based browers will still display the SSL error: ERR_CERT_COMMON_NAME_INVALID.
Generate client private key:
openssl genrsa -out myhost.example.com.key 2048
Generate certificate signing request:
vi myhost.example.com.cfg
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
x509_extensions = v3_req
distinguished_name = dn
[dn]
countryName = "SG"
stateOrProvinceName = "Singapore"
localityName = "Singapore"
organizationName = "Example Ltd"
OU = "Example Ltd"
emailAddress = "noreply@example.com"
commonName = "myhost.example.com"
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = myhost.example.com
DNS.2 = myhost
DNS.3 = localhost
[alt_names]
IP.1 = 192.168.1.1
IP.2 = 127.0.0.1
openssl req -new -out myhost.example.com.csr -key myhost.example.com.key -config myhost.example.com.cfg
You have generated your CSR file called myhost.example.com.csr and ready to be signed by the CA server.
After been signed by CA, download the Base64 encoded certifcate.
View the certificate detail:
openssl x509 -in certnew.cer -text -noout
...
Validity
Not Before: Apr 24 07:26:07 2024 GMT
Not After : Apr 24 07:26:07 2027 GMT
...