Create a CSR with OpenSSL
To create a certificate, you first need to create a Certificate Signing Request (CSR). You can send the CSR to a certification authority, or use it to create a self-signed certificate.
Use OpenSSL to Generate a CSR
OpenSSL is installed with most GNU/Linux distributions. To download the source code or a Windows binary file, go to http://www.openssl.org/ and follow the installation instructions for your operating system. You can use OpenSSL to convert certificates and certificate signing requests from one format to another. For more information, see the OpenSSL main page or online documentation.
- Open a command line interface terminal.
Make sure you run the command prompt as an administrator. You can do this by right-clicking the command prompt shortcut in Windows.
- To generate a private key file called privkey.pem in your current working directory, type openssl genrsa -out privkey.pem 2048
- Type openssl req -new -key privkey.pem -out request.csr
This command generates a CSR in the PEM format in your current working directory. - When you are prompted for the x509 Common Name attribute information, type your fully-qualified domain name (FQDN). Use other information as appropriate.
- Follow the instructions from your certificate authority to send the CSR.
To create a temporary, self-signed certificate until the CA returns your signed certificate:
- Create a plain text file named extensions.txt.
- Add this text to the file:
basicConstraints=CA:TRUE,pathlen:0
keyUsage=digitalSignature,keyEncipherment,keyCertSign,cRLSign
extendedKeyUsage=serverAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
- Open a command line interface terminal.
- Type openssl x509 -req -days 30 -in request.csr -signkey privkey.pem -extfile extensions.txt -out sscert.cert
This command creates a certificate inside your current directory that expires in 30 days with the private key and CSR you created in the previous procedure.
You cannot use a self-signed certificate for VPN remote gateway authentication. We recommend that you use certificates signed by a trusted Certificate Authority.