In part 1, I have explained the concept of certificates and why it is needed. In this post, I will explain the process to get a signed certificate. I will also explain in details the relationship between Certificate Signing Request (CSR), Private Key and Public Key.
High Level Steps
The high level steps to generate a certificate are listed below
- Generate a Certificate Signing Request (CSR) from a Private Key. Usually if we are starting from scratch, a new private key will be created. However, if we already have an existing private key, we can use it to generate a new CSR.
- Sign the CSR from the CA. At this step, we complete the validation required by CA depending on the certificate type
- Import Signed Certificate including CA Chain which was issued by the CA
- Make sure to add Root CA as a trusted Authority in case it is not available. This step shouldn’t be usually needed as usually the well known Root CAs are generally available in as part of the various operating systems. However, this might be needed if you are importing it to some systems that don’t trust that Root CA.
So let’s take each step and explain it in depth. Usually, before we generate a certificate we need to understand what type of certificate and for what will it be used. In this example, we will build an example based on creating a domain validated certificate for a fake domain “www.arubapartners.com”. I am using OpenSSL on Windows which can be download here. You can also do the same on macOS or Linux (Just replace openssl.exe with the native openssl command)
Step 1: Generate CSR from Private Key
I used this OpenSSL req command
openssl.exe req -new -newkey rsa:2048 -nodes -keyout arubapartners_private.key -out arubapartners.csr
In this command, I am using RSA algorithm with 2048 key size to generate a private key and a CSR. Because I used the -nodes option, the private key file will not be encrypted so in your environment make sure you protect it properly. In my case, I am using this certificate for this demo only so it doesn’t matter.
Once I issued the command, I provided the details as shown above to reflect this domain. At the end two files are generated. The CSR file is called “arubapartners.csr” and the private key is called “arubapartners_private.key”. Make sure you protect this key in a real environment. We now sign the CSR from the CA and get a signed certificate in return. If you are in hurry go to step 2. If you need to understand the details of what was generated keep reading…
What got generated? What is the relationship between them?
If we inspect the private key file using OpenSSL rsa command, we can extract from it the public key. This public key will be part of the signed certificate issued by the CA. Note the reverse is not possible, meaning if you know the public key you will not be able to generate the private key.
openssl.exe rsa -in arubapartners_private.key -out arubapartners_public.pem
Similarly, if we check the CSR file, it will look a bunch of random characters. However, the CSR file can be decoded to a readable text format as shown below. The CSR will include the public key and the information that we provided previously. As such, we can double check the CSR before sharing it with the CA.
openssl.exe req -text -noout -verify -in arubapartners.csr
In brief, the public key can be extracted from the private key. Also, the CSR file includes the same public key. The public key will be part of the certificate signed by the CA. This explains the relationship between these components. This can be even confirmed by the below commands where I am extracting the public key from the private key file and from the CSR.
openssl.exe rsa -in arubapartners_private.key -pubout openssl.exe req -in arubapartners.csr -noout -pubkey
Now, it is time to get the signed certificate from a CA.
Step 2: Sign CSR from CA
Now that the CSR that was generated, it will be sent to the CA. The CA will check the CSR and sign the certificate after it completes the validation. The exact validation method varies depending on the requested certificate type. At the end the CA will sign the CSR and issue a certificate. I will explain this step in an upcoming post.
For now, to simplify this process, I created my own demo CA. I signed the generated CSR from my demo CA instead of signing it from a trusted CA using the below OpenSSL X509 command. I will not be able to do so since I don’t own the domain arubapartners.com)
At the end, you can see I got a certificate that was signed from mydemoca.com and it was issued to http://www.arubapartners.com. The public key is also shown in the certificate. This is the same public key that was extracted from the CSR and private key as explained before. The public key, in the unreadable format shown above, can be pasted in this ASN.1 decoder. You will be able to see that the same public key is used.
One final check that can be done is to check that the modulus value matches between the issued certificate, private key and CSR. This can be done using the below commands. Instead of comparing the whole Modulus, we are are comparing the MD5 hashes so it will be easier to compare them visually. If you need a better option, you can check this link.
openssl.exe x509 -noout -modulus -in arubapartners-signed-public.crt | openssl md5 openssl.exe rsa -noout -modulus -in arubapartners_private.key | openssl md5 openssl.exe req -noout -modulus -in arubapartners.csr | openssl md5
In this post, I explained the process to get a signed certificate starting from the private key and CSR. In the next post, I will explain the different certificate formats and how to install the certificate on various Aruba products.