4

I am new to this. My objective is to create a CSR for my Cisco Firewall. I have been suggested to use OpenSSL as I need to add the EKU which is not possible on Cisco CSR. The second requirement is to use multiple SANs.

I have no clue how to do this and I don't know how or where I would generate the key (Cisco or OpenSSL). I have OpenSSL on both Linux and MacOS. Can someone post step-by-step instructions for me to achieve this goal?

Josh Correia
  • 3,807
  • 3
  • 33
  • 50
faadi77
  • 41
  • 1
  • 1
  • 2

2 Answers2

5

For SAN's and EKU's in OpenSSL:

  • Generate the key:
    openssl genrsa -out key.pem 2048
  • Create a config file (cisco_fw_csr_config.cnf) according to your needs:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
   
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = BE
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Brussels
localityName = Locality Name (eg, city)
localityName_default = Brussels
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
    
[v3_req] 
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
    
[alt_names]
DNS.1   = san.domain1.com
DNS.2   = san.domain2.com

  • Create the CSR:
    openssl req -new -key key.pem -out cisco_fw.csr -config cisco_fw_csr_config.cnf

  • If you need to check the CSR content:
    openssl req -in cisco_fw.csr -noout -text

Bruce Becker
  • 335
  • 1
  • 6
  • 23
Seb B.
  • 677
  • 6
  • 15
  • hi Seb,Thank you very much for your reply. It was very helpful. I have a few questions to ask you on this. How do I specify here the duration for certificate, so for example, if I want it for 3 years. Or does it have to be specified by the CA when they issue it? I was checking some other links and there are few other fields mentioned. Is there any particular requirement for "basicConstraints" "nonRepudiation" and "dataEncipherment" . I have it like below: [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment – faadi77 Nov 19 '15 at 11:13
  • _How do I specify here the duration for certificate?_ You're right! The CA will be the one defining the certificate validity period. _Is there any particular requirement for "basicConstraints" "nonRepudiation" and "dataEncipherment"?_ You just have to set the "features" that you need. **basicConstraints=CA:FALSE** (The certificate can't issue/sign other certificates), is a good practice for end user ceritifcates. – Seb B. Nov 19 '15 at 12:09
  • It would be great if you included a reference for further reading – AaA Aug 25 '17 at 02:21
0

If you need to generate the csr without openssl asking you for the input values, you need to specify -batch option too.

openssl req -new -batch -key key.pem -out cisco_fw.csr -config cisco_fw_csr_config.cnf
Tomas Vitvar
  • 21
  • 3