How to Use OpenSSL to Generate X.509 Certificate Request

How to Use OpenSSL to Generate X.509 Certificate Request

Lincoln Hughes / March 4, 2014 / OpenSSL, Security / certificate signing request, OpenSSL 3 Comments

In this tutorial, let’s learn how to use OpenSSL to generate X.509 certificate request.

Certificate signing request is a message sent from an applicant to a certificate authority, which usually includes:

1. Country Name (2 letter code) [US]
2. State or Province Name (full name) [BC]
3. Locality Name (e.g., city) [Vancouver]
4. Organization Name (e.g., company) [My Company Ltd]
5. Organizational Unit Name (e.g., section)
6. Common Name (e.g., your name or your server’s hostname)
7. Email Address

Implementation Steps:

1. Generate RSA key
2. Set version
3. Set subject
4. Set public key
5. Set sign key
6. Free

Code & Result:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

#include <stdio.h> #include <iostream> #include <openssl/rsa.h> #include <openssl/pem.h>   bool gen_X509Req() {     int             ret = 0;     RSA             *r = NULL;     BIGNUM          *bne = NULL;       int             nVersion = 1;     int             bits = 2048;     unsigned long   e = RSA_F4;       X509_REQ        *x509_req = NULL;     X509_NAME       *x509_name = NULL;     EVP_PKEY        *pKey = NULL;     RSA             *tem = NULL;     BIO             *out = NULL, *bio_err = NULL;       const char      *szCountry = "CA";     const char      *szProvince = "BC";     const char      *szCity = "Vancouver";     const char      *szOrganization = "Dynamsoft";     const char      *szCommon = "localhost";       const char      *szPath = "x509Req.pem";       // 1. generate rsa key     bne = BN_new();     ret = BN_set_word(bne,e);     if(ret != 1){         goto free_all;     }       r = RSA_new();     ret = RSA_generate_key_ex(r, bits, bne, NULL);     if(ret != 1){         goto free_all;     }       // 2. set version of x509 req     x509_req = X509_REQ_new();     ret = X509_REQ_set_version(x509_req, nVersion);     if (ret != 1){         goto free_all;     }       // 3. set subject of x509 req     x509_name = X509_REQ_get_subject_name(x509_req);       ret = X509_NAME_add_entry_by_txt(x509_name,"C", MBSTRING_ASC, (const unsigned char*)szCountry, -1, -1, 0);     if (ret != 1){         goto free_all;     }       ret = X509_NAME_add_entry_by_txt(x509_name,"ST", MBSTRING_ASC, (const unsigned char*)szProvince, -1, -1, 0);     if (ret != 1){         goto free_all;     }       ret = X509_NAME_add_entry_by_txt(x509_name,"L", MBSTRING_ASC, (const unsigned char*)szCity, -1, -1, 0);     if (ret != 1){         goto free_all;     }         ret = X509_NAME_add_entry_by_txt(x509_name,"O", MBSTRING_ASC, (const unsigned char*)szOrganization, -1, -1, 0);     if (ret != 1){         goto free_all;     }       ret = X509_NAME_add_entry_by_txt(x509_name,"CN", MBSTRING_ASC, (const unsigned char*)szCommon, -1, -1, 0);     if (ret != 1){         goto free_all;     }       // 4. set public key of x509 req     pKey = EVP_PKEY_new();     EVP_PKEY_assign_RSA(pKey, r);     r = NULL;   // will be free rsa when EVP_PKEY_free(pKey)       ret = X509_REQ_set_pubkey(x509_req, pKey);     if (ret != 1){         goto free_all;     }       // 5. set sign key of x509 req     ret = X509_REQ_sign(x509_req, pKey, EVP_sha1());    // return x509_req->signature->length     if (ret <= 0){         goto free_all;     }       out = BIO_new_file(szPath,"w");     ret = PEM_write_bio_X509_REQ(out, x509_req);       // 6. free free_all:     X509_REQ_free(x509_req);     BIO_free_all(out);       EVP_PKEY_free(pKey);     BN_free(bne);       return (ret == 1); }   int main(int argc, char* argv[]) {     gen_X509Req();     return 0; }

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

-----BEGIN CERTIFICATE REQUEST----- MIICmzCCAYMCAQEwVjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAkJDMRIwEAYDVQQH EwlWYW5jb3V2ZXIxEjAQBgNVBAoTCUR5bmFtc29mdDESMBAGA1UEAxMJbG9jYWxo b3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA++1mP9LtZPaCKfFe paVTjvIWdeWLOEwh5K8uSDNb84Hkx83nJxInY6CZPA+07nWq5Xudofahiiop2ifq kyuIya0AQOpsiWjV6GyY9j9ERvyTKcTMaXW4FgKRVKb71y5DYVtx7GbluoCb6Iky GBPzUJnBlbyzFWT7d/FH4YDxbdTEWTw7YJtm/nbakD09JprT/4JrjC+jBCmWwb19 2WXAI4vEFhqGVJIUufwHwMD9ZVwIhpk3cB83gNsQuwTtQIRFl0yuY7om15d5Qg1j vvGsSodJdMmp2MV4NO2rmt2H7iZKlXREYVsmnvdbOzb4v4V/DUkm5gRp+MUXtBxf 2NCgsQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAH7fo3WgaM8TakXN/jAsMZMs F4Thyyc0ZcVPF8r23ULJgYgENjXhaS8xuoXWOVikRZZm+6H7OHzHyfVeOkwlplsH 1+yXG2IBP3W6nw71oJjDYIcU4Dtw3e3tTN3/J0eSXlSr7MU9DXeVLBdiodeWeKHw AumED55pd0lpFiJ1f7bQ2Nh0+mVIuZaDgnN8YesPPDqW70t9bjD9LHJl6T9OxRJE vTq7BEqNB8XmYKJ+ODEKDQQNUar2YFcs4tZHiaOotZ11ZRaLrkG+Svl7ZE6V9GaO Yss1j3jb4rFENS3vQdt69ODNJHu/maPUS87TpN1vmX66ntiEt7M2HKx8FiBiz/E= -----END CERTIFICATE REQUEST-----

You can feel free to download the sample code, and run it in Visual Studio.