Skip links

Create CSR with a configfile using OpenSSL on Ubuntu

Recently I was required to create a CSR for a customer in order to issue a Custom SSL Certificate. This is something that I do every now and again but have to recall the steps and commands I used which usually take a few minutes.

As part of documenting this for the customer I decided to put the commands I used here for posterity. Of course there are many ways to do this and some other examples from other sites are listed at the botton under documention.

Process

First step is to create a configuration file which I am calling vrops_cert.conf. The file is saved into my homefolder so I can find it again.

Below are the contents for that file. Depending on your environment you may need more or less sections in the file. Here I have 2 vROPS nodes in my cluster plus the load balancer VIP address in both FQDN and shortname:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = SE
ST = Stockholm Lan
L = Stockholm
O = Terataki
OU = Cloud
CN = vrops-vip.terataki.local

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = vrops-vip.terataki.local
DNS.2 = vrops-01.terataki.local
DNS.3 = vrops-02.terataki.local
DNS.4 = vrops-vip
DNS.5 = vrops-01
DNS.6 = vrops-02

Once the config file is saved I open a terminal and run the following command.

openssl req -newkey rsa:2048 -keyout vrops.key -out vrops.csr -config vrops_cert.conf -nodes

The above command outputs a new 2048 bit private key called vrops.key, a Certificate Signing request (CSR) called vrops.csr and uses the config file vrops_cert.conf The -nodes switch avoids the outputs having password protection which I don’t require.

I can now view the CSR by double clicking and viewing it. On Ubuntu this opens in preview which is a nice way to check the contents before sending onto the CA for issuing the cert. Issuing the certificate is pretty straight forward.

For import into vROPS I require a PEM file so I need to take the issued certificate, private key and any chain certificates and concatenate them in order to create the PEM file. The command to do that in Ubuntu is below:

cat vrops.cer vrops.key ca-chain.cer > vrops.pem

Now I can use the vrops.pem file and apply that to vROPS.

Documentation

Generating a PEM file for vROPS use is documented here in VMware KB 2046591

How to create a CSR with OpenSSL

How to generate a wildcard cert CSR with a config file for OpenSSL

Leave a Comment