How to generate certificate signing requests
đ If youâre unsure about creating certificates or donât want to manage them, use Aptibleâs Managed TLS option!
A Certificate Signing Request (CSR) file contains information about an SSL / TLS certificate youâd like a Certification Authority (CA) to issue. If youâd like to use a Custom Certificate with your Endpoints, you will need to generate a CSR:
Step 1: You can generate a new CSR using OpenSSLâs openssl req
command:
openssl req -newkey rsa:2048 -nodes \
-keyout "$DOMAIN.key" -out "$DOMAIN.csr"
Step 2: Store the private key (the $DOMAIN.key
file) and CSR (the $DOMAIN.csr
file) in a secure location, then request a certificate from the CA of your choice.
Step 3: Once your CSR is approved, request an âNGiNX / otherâ format if the CA asks what certificate format you prefer.
Matching Certificates, Private Keys and CSRs
If you are unsure which certificates, private keys, and CSRs match each other, you can compare the hashes of the modulus of each:
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in "$DOMAIN.key" | openssl md5
openssl req -noout -modulus -in "$DOMAIN.csr" | openssl md5
The certificate, private key and CSR are compatible if all three hashes match. You can use diff3
to compare the moduli from all three files at once:
openssl x509 -noout -modulus -in certificate.crt > certificate-mod.txt
openssl rsa -noout -modulus -in "$DOMAIN.key" > private-key-mod.txt
openssl req -noout -modulus -in "$DOMAIN.csr" > csr-mod.txt
diff3 cert-mod.txt privkey-mod.txt csr-mod.txt
If all three files are identical, diff3
will produce no output.
đ You can reuse a private key and CSR when renewing an SSL / TLS certificate, but from a security perspective, itâs often a better idea to generate a new key and CSR when renewing.