Creating CSR and KEY files in Windows using Openssl

Posted by December 21, 2018 in openssl

It’s often necessary to create csr files to be used as certificate requests for certificate authorities such as Comodo.

For Linux sysadmins this is common practice but for many Windows administrators used primarily to using built in tools like certreq.exe and certificate management GUIs, the process can seem a little unclear. The below steps for Windows should help clarify things.

Step 1 .

  • Install the Windows build of openssl on your machine.
    • In this example I’m using openssl-0.9.8h-1-setup.exe which can be downloaded from here but I recommend using the newest version.

Once downloaded, double click and install the software with the default settings.

Step 2 .

  • Create a config file for the request using notepad and save it to a known location on your machine.
    • The config file should contain the values that match your certificate requirement and the purpose of the certificate.

A general configure file would look something like this

[ req ]
default_bits                = 2048
distinguished_name          = req_distinguished_name
req_extensions              = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = DE
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Berlin
localityName                = Locality Name (eg, city)
localityName_default        = Berlin
organizationName            = Organization Name (eg, company)
organizationName_default    = philpug_corp
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = testcert.philpug.com
[ req_ext ]
subjectAltName              = @alt_names
[alt_names]
DNS.1                       = testcert02.philpug.com
DNS.2                       = testcert03.philpug.com
DNS.3                       = testcert04.philpug.com
DNS.4                       = testcert05.philpug.com

Once the config file is saved in the known location with the correct values it’s time to create the request.

Step 3.

  • Open a command prompt console and change directory to the installation path of openssl.

By default and in this example C:\Program Files (x86)\GnuWin32\bin

Now run the following command listing the location of the config file and output files

openssl req -out C:\cert\test.csr -newkey rsa:2048 -nodes -keyout C:\cert\test.key -config C:\cert\openssl_config.cfg

You will be asked to to confirm or change a few values in config file, if everything is correct simply press enter to continue and the result would look like this.

The output directory should now contain the files you need to complete the certificate request with your chosen certificate authority.

About the Author: Phil

Leave a Reply

Your email address will not be published. Required fields are marked *