OpenSSL Check CSR Contents

In an organization using paid SSL certificates, the person purchasing and creating each trusted server certificate may be different from the person creating the associated Certificate Signing Request (CSR) on the target server system. To avoid mistakes and double-check the CSR settings, it is good to view the CSR contents before final submission to the trusted CA for signing. Here’s a quick OpenSSL command to review the contents of a received CSR file.

MYFILTER='Subject:|Public-Key:|Signature Algorithm:'
cat $MYCSR | openssl req -text -noout -verify | egrep "$MYFILTER"
# You can alter or leave out the egrep as desired.
# Sample output using OpenSSL 1.0.2d
verify OK
        Subject: CN=HostName.DomainName.Com
                Public-Key: (2048 bit)
    Signature Algorithm: sha256WithRSAEncryption

Things to look for include the Subject Common Name (CN) matching system fully qualified domain name (FQDN), public key size, and signature algorithm. As time moves on, the public key size and signature algorithm requirements will continue to increase as attacks on the older keys/signatures become feasible.

About notesbytom

Keeping technology notes on to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in System Administration and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s