Certificate Signing Request

In order to obtain a certificate, you must first generate a Certificate Signing Request (CSR). Instructions for generating CSRs for various SSL environments can be found at Comodo's Knowledgebase. Since it is assumed that most server environments will be either OpenSSL-based or Java-based, examples for those two cases are given here.

For the examples below, the server hostname is "example.xsede.org".

You may optionally specify a contact email address which will receive notification for certificate expiration. In the example below, this is done with the "user@xsede.org" email address.

OpenSSL

If you do not have a private key, the following command will generate a new CSR (example-xsede-org.csr) and the associated private key (example-xsede-org.key) in one step.

# openssl req -nodes -newkey rsa:2048 \
            -keyout example-xsede-org.key \
            -subj "/CN=example.xsede.org/emailAddress=user@xsede.org" \
            -out example-xsede-org.csr

Alternatively, you can generate the private key and CSR separately as follows.

# openssl genrsa -out example-xsede-org.key 2048
# openssl req -new -key example-xsede-org.key \
            -subj "/CN=example.xsede.org/emailAddress=user@xsede.org" \
            -out example-xsede-org.csr

Java

To generate a new CSR for use with Java, use the keytool command. If your system does not have the keytool command, it is available as part of the Java Development Kit (JDK).

First, create a keystore (example-xsede-org.keystore) with the appropriate server hostname using the following command.

# keytool -genkey -keyalg RSA -keysize 2048 \
        -dname "CN=example.xsede.org,emailAddress=user@xsede.org" \
        -keystore example-xsede-org.keystore

Then, use the new keystore to generate a new CSR (example-xsede-org.csr) with the following command.

# keytool -certreq -keyalg RSA \
        -keystore example-xsede-org.keystore \
        -file example-xsede-org.csr

Multiple Domains

If you are requesting an InCommon or IGTF Multi Domain Certificate, you can include the extra SubjectAltName (SAN) entries in the certificate signing request (CSR). This saves XSEDE staff time processing your request as well as guarantees that your certificate has the extra domains you want.

First, you need to create a configuration file with values needed by OpenSSL for the SANs. For this example, assume the desired hostname is "example.xsede.org", and there are three additional hosts to secure named "example1.xsede.org", "example2.xsede.org", and "example3.xsede.org".

Create a file "openssl.cnf" with the following contents.

	[ req ]
	default_bits = 2048
	default_md = sha256
	distinguished_name = req_distinguished_name
	attributes = req_attributes
	req_extensions = v3_req
	prompt = no
	
	[ req_distinguished_name ]
	CN = example.xsede.org
	emailAddress = user@xsede.org

	[ req_attributes ]
	[ v3_req ]
	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	subjectAltName = @alt_names
	
	[ alt_names ]
	DNS.1 = example.xsede.org
	DNS.2 = example1.xsede.org
	DNS.3 = example2.xsede.org
	DNS.4 = example3.xsede.org

Then genearte the CSR (example-xsede-org.csr) and the associated private key (example-xsede-org.key) with the following command.

# openssl req -nodes -newkey rsa:2048 \
            -keyout example-xsede-org.key \
           -config openssl.cnf \
            -out example-xsede-org.csr

Next Step

Once you have generated your CSR, you need to submit the Certificate Signing Request (CSR).

Last Update: September 20, 2016

Key Points
CSRs are required to obtain all SSL certificates
Examples are given for OpenSSL and Java
CSRs for multiple domains are also available
Contact Information