In an organization using paid SSL certificates, the person purchasing and creating each trusted server certificate may be different from the person creating the associated Certificate Signing Request (CSR) on the target server system. To avoid mistakes and double-check the CSR settings, it is good to view the CSR contents before final submission to the trusted CA for signing. Here’s a quick OpenSSL command to review the contents of a received CSR file.
MYCSR=/path/and/FileName.csr MYFILTER='Subject:|Public-Key:|Signature Algorithm:' cat $MYCSR | openssl req -text -noout -verify | egrep "$MYFILTER" # You can alter or leave out the egrep as desired. # Sample output using OpenSSL 1.0.2d verify OK Subject: CN=HostName.DomainName.Com Public-Key: (2048 bit) Signature Algorithm: sha256WithRSAEncryption
Things to look for include the Subject Common Name (CN) matching system fully qualified domain name (FQDN), public key size, and signature algorithm. As time moves on, the public key size and signature algorithm requirements will continue to increase as attacks on the older keys/signatures become feasible.