# Generate a new CSR ## Generate A Private Key ### ECC: ```bash keyfilename=ec_key.pem cert=ec_cert.crt openssl ecparam -genkey -name prime256v1 -out $keyfilename openssl ecparam -genkey -name secp256r1 -out $keyfilename # List of Avail curves openssl ecparam --list_curves # Gen Cert: openssl req -new -x509 -key $keyfilename -sha256 -nodes -out $cert -days 365 # Combine Private & Public in one file: cat $keyfilename $cert > ec.pem # verify openssl x509 -in ec.pem -noout -text ``` ### RSA: #### Generate Private Key ```bash #============================================= # Generate Key openssl genrsa -out yourdomain.key 2048 # Output key File cat yourdomain.key # Validate Key openssl rsa -text -in yourdomain.key -noout #============================================= # Extract Public Key openssl rsa -in yourdomain.key -pubout -out yourdomain_public.key #============================================= # Create CSR openssl req -new -key yourdomain.key -out yourdomain.csr #============================================= # verify CSR openssl req -text -in yourdomain.csr -noout -verify # send CSR to CA: cat yourdomain.csr # View Cert info: openssl x509 -text -in yourdomain.crt -noout # Verify Public & Private Keys Match: openssl pkey -pubout -in .\private.key | openssl sha256 openssl req -pubkey -in .\request.csr -noout | openssl sha256 openssl x509 -pubkey -in .\certificate.crt -noout | openssl sha256 ``` #### Verification should output something like this: ```bash verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Utah, L=Lehi, O=Your Company, Inc., OU=IT, CN=yourdomain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bb:31:71:40:81:2c:8e:fb:89:25:7c:0e:cb:76: [...17 lines removed] Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 0b:9b:23:b5:1f:8d:c9:cd:59:bf:b7:e5:11:ab:f0:e8:b9:f6: [...14 lines removed] ``` #### Using -Subj switch ```bash openssl req -new -key yourdomain.key -out yourdomain.csr \ -subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com" ``` #### Create CSR with one line ```bash openssl req -new \ -newkey rsa:2048 -nodes -keyout yourdomain.key \ -out yourdomain.csr \ -subj "/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=yourdomain.com" ``` ### Converting Certificate Formats File Formats & Cert Types
.pemPEM, which stands for privacy-enhanced mail—- BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—–

–BEGIN CERTIFICATE REQUEST—–
—–END CERTIFICATE REQUEST—–
p7b / pkcs#7Certificates in P7B/PKCS#7 formats are encoded in Base64 ASCII encoding and they usually have .p7b or .p7c as the file extension. The thing that separates PKCS#7 formatted certificates is that only certificates can be stored in this format, not private keys. In other words, a P7B file will only consist of certificates and chain certificates.

"—–BEGIN PKCS7—–” and

“—–END PKCS7—–”

.pfx
.p12
.pkcs12		The PKCS#12 format is an archival file that stores both the certificate and the private key.Binary File
derThe DER format uses ASN.1 encoding to store certificate or key information. Similar to the PEM format, DER stores key and certificate information in two separate files and typically uses the same file extensions (i.e., .key, .crt, and .csr).

The DER certificate format is most commonly used in Java-based platforms.
.crtCertificate
.csrCertificate Signing Request
#### The following is an excerpt from : #### PEM to PKCS#12 This format is useful for migrating certificates and keys from one system to another as it contains all the necessary files. PKCS#12 files use either the *.pfx* or *.p12* file extension. Use the following command to convert your PEM key and certificate into the PKCS#12 format (i.e., a single .pfx file): ```bash openssl pkcs12 -export -name "yourdomain-digicert-(expiration date)" \ -out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt ``` #### PKCS#12 to PEM Because the PKCS#12 format contains both the certificate and private key, you need to use two separate commands to convert a .pfx file back into the PEM format. Use the following command to extract the private key from a PKCS#12 (.pfx) file and convert it into a PEM encoded private key: ``` openssl pkcs12 -in yourdomain.pfx -nocerts -out yourdomain.key -nodes ``` Use the following command to extract the certificate from a PKCS#12 (.pfx) file and convert it into a PEM encoded certificate: ``` openssl pkcs12 -in yourdomain.pfx -nokeys -clcerts -out yourdomain.crt ``` #### PEM to DER The DER format uses ASN.1 encoding to store certificate or key information. Similar to the PEM format, DER stores key and certificate information in two separate files and typically uses the same file extensions (i.e., *.key*, *.crt*, and *.csr*). The file extension *.der* was used in the below examples for clarity. Use the following command to convert a PEM encoded certificate into a DER encoded certificate: ``` openssl x509 -inform PEM -in yourdomain.crt -outform DER -out yourdomain.der ``` Use the following command to convert a PEM encoded private key into a DER encoded private key: ``` openssl rsa -inform PEM -in yourdomain.key -outform DER -out yourdomain_key.der ``` #### DER to PEM Use the following command to convert a DER encoded certificate into a PEM encoded certificate: ``` openssl x509 -inform DER -in yourdomain.der -outform PEM -out yourdomain.crt ``` Use the following command to convert a DER encoded private key into a PEM encoded private key: ``` openssl rsa -inform DER -in yourdomain_key.der -outform PEM -out yourdomain.key ``` Sources: #### #### #### ####