Create the CSR (Linux CLI)

Last Updated : Apr 19, 2022 |

All steps must be carefully followed to avoid errors.

  1. Log in on the IPOL machine through the SSH service as Administrator, enter the certificates menu under the admin tab

  2. Here the user can begin to create the CSR filling the SN and SAN parameters.

  3. With the help of the csr_subjectName command the user should specify the following parameters: Country/State/Locality/Organization/OrganizationUnit/CommonName/Email as defined in the CSR parameters table above at the subject name fields.

  4. Any entries not required (for example Organizational Unit Name) or not requested by the CA should not be added.

  5. If the CSR is for a multi-domain/SAN certificate, the user has the possibility to add entries in the SAN fields with the help of the csr_subjectAltName (add) command. The valid values are DNS (DNS SAN entry), IP (IPv4 SAN entry), URI (URI SAN entry). We can specify multiple values for every entry, numbering them as per ex: DNS.1=test1csr.com, DNS.2=test2csr.com.

  6. When all the parameters of the CSR have been filled the user should check the CSR generation configuration with the help of the csr_view_parameters command. The command will display the current configuration for the CSR. The user should see something similar on the console display:

    [ req ] 
distinguished_name = req_distinguished_name 
req_extensions = v3_req 
prompt = no 
[ req_distinguished_name ] 
C=US 
ST=Tennessee 
L=Nashville 
O=CSRsTest 
OU=CSRsTestDep 
CN=testcsr.com 
emailAddress=admin@testcsr.com 
[ v3_req ] 
basicConstraints = CA:FALSE 
keyUsage = digitalSignature, nonRepudiation, keyAgreement, dataEncipherment, keyEncipherment 
subjectAltName = @alt_names 
subjectKeyIdentifier = hash 
[ alt_names ] 
DNS.1=testcsr.com 
IP.1=192.168.42.1 
URI.1=sip:testcsr.com

  7. The user should then issue the generate_csr command which will generate the CSR, it will store the private key of the CSR in a location only accessible by root and it will display the generated CSR in the console.

  8. The user should copy the from the console the generated CSR (that is view as text starting with the -----BEGIN CERTIFICATE REQUEST----- string and it ends with the -----END CERTIFICATE REQUEST----- string.

  9. The CSR can be pasted in a text file and can be signed at a public CA or a private one resulting in a signed certificate based on a CSR generated on the IPOL machine.

Related information
Creating a CSR using the Linux Server Command Line