Create the CSR (OpenSSL)

Last Updated : Apr 20, 2022 |

  1. OpenSSL package is a third-party product and Avaya cannot provide assurance or warranty of purpose in any form.

  2. OpenSSL is available for both Microsoft windows and Linux machines. See https://www.openssl.org/. The following has been tested on Windows 64-bit OpenSSL version 1.0.2d.

  3. All steps must be carefully followed to avoid errors.

  4. If the selected CA provides instructions or utilities for the use of OpenSSL, those should be used in preference to the following steps. Any question on format or content should be clarified with the CA.

  5. Ensure all naming information has been identified (Common name, Alternate subject names, organization details and so on).

  6. You must be logged in and run the console session as administrator.

  7. Create a directory for the CSR and key and change to it.

  8. Create a text file openssl.cfg with the following content, ensure no additional line breaks:

    [req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (not abbreviated)
localityName = Locality Name (for example, City)
organizationName = Organization Name (for example, Company)
organizationalUnitName = Organizational Unit Name (for example, Section/Department)
commonName = Common Name (for example, www.example.com)
emailAddress = Email Address (for example, contact@example.com)
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = example.com
IP.1 = 203.0.113.30
IP.2 = 203.0.113.40
URI.1 = sip:example.com
URI.2 = 203.0.113.30
URI.3 = sip: 203.0.113.30

  9. The items in red must be replaced with the information specific to the CSR. Ensure that the information requested by the CA is supplied accurately.

  10. The Country Name is a 2 letter code defined by https://www.iso.org/obp/ui/#home; select Country codes, and click Search.

  11. Any entries not required (for example Organizational Unit Name) or not requested by the CA can be removed by removing the whole line.

  12. If the certificate is for a single domain, remove all lines from subjectAltName = @alt_names and onwards.

  13. If the certificate is for multiple domains, the first alt_name entry should be DNS.1 and the same as the Common Name (for example, www.example.com).

  14. Create the CSR and private key using the command line, ensuring no line breaks. The items in red should be replaced with the domain name of the device.

    openssl req -new -out example.csr -newkey rsa:2048 -sha256 -keyout example.key -config openssl.cfg

  15. When requested ('Enter PEM pass phrase'), a strong password for the private key file should be entered. This will be requested later when combining the signed certificate.

  16. Verify the CSR with the command line: openssl req -text -noout -verify -in example.csr

  17. Check the output is as expected.

  18. Open the CSR file example.csr in a text editor and copy all of the text

  19. Go to the CA and follow instructions to paste the full CSR into the SSL enrolment form of the CA. If requested, the server software used to generate the CSR is OpenSSL, or 'Other'. If requested, SHA-256 should be selected for the hash algorithm. SHA-1 should not be selected.

  20. Keep the example.key file for later use. Note a password will always be required to open the key file.

Related information
Creating a CSR using the OpenSSL Package