When buying a certificate from a certification authority, we usually do not have to do anything complicated or tech-savvy; we simply register, walk into the CA’s facility, identify ourselves, and get our key pair, either on a signing card, USB token or based on some other solution (e.g. stored in an HSM in case of remote signatures) and we are ready to go. But with some certificates (e.g. most SSL certificates), what we have to do is slightly different. In these cases, we need to generate our own keys and a certificate signing request (CSR).

A CSR is basically a message sent to the Certification Authority to request certification of a public key – generated along with a private key by the applicant. CSRs are described in the PKCS#10 standard, creating them consists of the following steps:
Our first step is to generate a public-private key pair. We can do this with using OpenSSL, which is a free, open source software that is available on several platforms. We even have a great chance that it is pre-installed on our OS. We can verify this by typing:

openssl version

into our terminal, and if we see something like:

OpenSSL 1.1.1d  10 Sep 2019,

we know that we have OpenSSL installed. Otherwise, we can get the latest version from https://www.openssl.org

Then we will have to decide what kind of key we want to generate (it is recommended to check the CA’s requirements regarding the algorithm or key size – if we cannot find anything about this, our current best way to go is with 2048-bit RSA, but if we are customers of e-Szignó CA, requirements are always specified).

If we want to use an EC key, we have to use two commands. One for generating the key (the example is over a NIST P-256 curve):

openssl ecparam –out key.pem –genkey –name prime256v1

then, another one to create a certificate signing request with:

openssl req –new –key key.pem –sha256 –out certificaterequest.pem 

Regarding RSA, our task is easier, we can create a key pair and a CSR in one command, such as:

openssl req -newkey rsa:2048 -out certificaterequest.pem -keyout key.pem

OpenSSL may ask for a password to encrypt the private key with; this uses the symmetrical AES algorithm. It is recommended to use a sufficiently secure password.

Then, OpenSSL will ask some information to be included in the certificate. With a CSR for e-Szignó CA, we will need to fill only two of these:

• Country Name – Here, we enter our ISO 3166 two-letter country code
• Common Name – If we are requesting a seal certificate, we add the name of our organisation, if we are requesting a webserver certificate, the we need to add the domain name of our server.

Other fields can be left blank by pressing enter while OpenSSL is prompting to specify them.

In both cases, our private key will be named key.pem and our CSR will be named certificaterequest.pem (of course you can name them anyhow – just remember which is which). Note that the private key should be managed in a secure way, it should be known by you only.

…and that is all! We now have everything we need. We can open our PKCS#10 CSR with any text editor, then copy it to the application form. Note that we have to copy it all, so our CSR will begin with

-----BEGIN CERTIFICATE REQUEST-----

and end with

-----END CERTIFICATE REQUEST-----

If we have a Hardware Security Module (HSM), it is a better choice to store keys in it regarding key management and security. Sadly, there is no standard interface, so CSR generation differs from HSM to HSM, but these are laid out in detail in the instruction manual of the module. Regarding CSR fields and copy-pasting it to the form, the above can be applied as well.