OpenSSL + Related

Using OpenSSL to make a request (PKCS #10) for a VTCA Server CA or Middleware CA:

NOTE: To download to a local file using the local links below, do one of the following:

• If you are using Firefox, right click on the download link and select Save Link As...
• If you are using IE, right click on the download link and select Save Target As ...

1. If needed, use the links below to download and install the most current recommended version of OpenSSL. OpenSSL is free to download and use.
   
   • OpenSSL source from OpenSSL.org
   • OpenSSL binaries for Microsoft Windows 32
   • Manual page for the openssl command line tool
   NOTE: The following write up is based on a default install.
2. Download a modified OpenSSL vtca_openssl.conf for a Virginia Tech Class 1 Server CA or mwcsr.conf for a Virginia Tech Middleware CA. These files will enable OpenSSL to prompt you for required domain component attributes when generating a PKCS #10 certificate signing request. Right click and save as in the notes above, this file to the bin folder inside the c:\openssl folder.
3. Openssl is a command line program - from the Windows menu select "Run" -> cmd, in the dos box type cd c:\openssl\bin
   
   Notes: If you plan on using openssl frequently be sure to either have openssl included into your PATH or use the absolute path to openssl. For example on Windows OS's "\openssl\bin\openssl.exe".
   
   
4. Generate a RSA public key pair to the file server.key, please read both options and step 5 before generating your key:
   $openssl genrsa -des3 -out server.key 2048 <---- If you wish to encrypt your private key with a password
   $openssl genrsa -out server.key 2048 <---- If you DO NOT wish to encrypt your private key with a password
5. Create the PKCS#10 certificate signing request in the file req.pem using the key pair in server.key, please read all of the options before generating your CSR:
   
   Note: The following commands will result in a dialog with the .conf file that will require the entry of the information required to fill out the certificate request. Press enter to accept the default values for the first six entries and then enter the desired department and server name for the "Organization Unit Name" and "Common Name" entries.
   
   Note: The following examples use the mwcsr.conf file. Substitute vtca_openssl.conf if you are requesting a server certificate.
   
   $openssl req -config mwcsr.conf -new -key server.key -out req.pem

   or you can generate the RSA key pair and certificate signing request (CSR) using one command line as follows:
   $openssl req -config mwcsr.conf -newkey rsa:2048 -keyout key.pem -out req.pem

   If you DO NOT wish to encrypt your private key then use this command instead of the one above to generate the RSA key pair and CSR:
   
   $openssl req -config mwcsr.conf -newkey rsa:2048 -keyout key.pem -out req.pem -nodes

6. Important: Be sure to keep all of the files created in the above procedure and any passwords used in a safe place. You will need these files to create the PKCS #12 certificate from the certificate you download from IRM.

    

Last updated on May 13, 2008

Send your questions to 4Help

Send your comments/concerns to the VT PKI-PMA