How to Generate a CSR on Amazon Web Services (AWS)

How to Generate a CSR on Amazon Web Services (AWS)

SSL certificates are essential for various AWS products, including AWS Elastic Beanstalk, Elastic Load Balancing, CloudFront, and AWS OpsWorks. This article provides guidance on generating a Certificate Signing Request (CSR) suitable for these services.

CSR, which stands for Certificate Signing Request, contains encrypted information about the certificate applicant and the associated domain name.

Upon purchasing an SSL certificate, it’s necessary to activate the SSL and submit the CSR to the CA (Certificate Authority) during the process. The CA utilizes the CSR data for certificate validation.

An RSA Private Key is generated alongside the CSR, serving a vital role in data encryption. It’s crucial to safeguard the Private Key on the server to prevent compromise.

The following command-line tools are essential for certificate creation and uploading to AWS:

  • OpenSSL: Used for generating Private Keys and CSRs.
  • PowerShell or cmd: Standard command-line tools for Windows servers.
  • AWS Command Line Interface (CLI): Enables certificate upload to AWS.

Two methods for generating CSRs are outlined below:

Generating CSR using OpenSSL

This option is normally used on Linux-based Amazon instances as they usually already have the required tool setup, or it is easy to set up. All commands should be run through either CLI or any third-party command line tool connected to your instance (for example, Putty, or Terminal app on MacOS and Linux).

The Private Key is created first and then the CSR is generated based on it.

1) Run the following command to generate the key:

sudo openssl genrsa -out private.key 2048

Where 2048 is a key size. If you do not specify the size, a 2048-bit key is generated.

You can specify any name for the key file (
private.key) to make it recognizable in case you have multiple SSLs stored on the server.

If you want to generate the SSL with an
ECDSA algorithm, you can use this command instead (this is just a recommended option — there are other setups you can use, too):

sudo openssl ecparam -genkey -name secp384r1 -out private.key -genkey

2) The CSR is generated based on the Private Key. The following command is used for the CSR creation:

sudo openssl req -new -key private.key -out csr.pem

2.1) Alternatively, you can use one command to generate the RSA Private Key and CSR:

sudo openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out csr.pem

The output will look similar to the following example:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields, but you can leave some blank.
For some fields there will be a default value.
If you just press Enter, the field will be left blank.

2.2) The following information needs to be filled in. We strongly recommend filling in all the fields. A CSR with any blank fields can be rejected by our system or by the Certificate Authority.

Note: For Organisation Validation (OV) or Extended Validation (EV) types of SSLs, make sure to use the correct legal company name. If it’s a reissued CSR, ensure the company details are the same as the ones used previously.

Note: Please only use Alphanumeric characters. A CSR with special symbols, such as Ä or È, will not be recognized. Such special characters should be replaced with their analogs from the alphanumerics, such as A and E.

Country name: use a valid 2-letter country-code.
State of Province:  Use your state or Province name, or use the Locality name if you have none.
Locality name: use your city, town or other locality name.
Organization Name: use your company/organization name or put NA (Not Applicable).
Organizational Unit: use your unit or department name or put NA (Not Applicable).
Common Name: Fully qualified domain name you need to secure: for example, www.example.com

Note: When filling in the Common Name field, it is important to remember that it should be the exact domain name you need to secure. It should look like www.example.com, example.com, or like mail.example.com, if you need to secure the subdomain.

For a Wildcard certificate the common name should be stated as *.example.com or *.sub.example.com.

Email address: Server administrator’s email address: for example, [email protected] This email address will be fetched by the system as an administrative contact for the SSL certificate files to be sent to once the certificate is issued. You’ll be able to change it during the SSL activation as well.

Challenge password and Optional company name are legacy fields and can be skipped.

Most certificates we provide secure both www.example.com and example.com automatically. However, if you have any doubts, we recommend checking the correct way to define your domain name for a particular certificate with our Support Team.

3) Run the following command to open the CSR file you’ve just generated:

cat csr.pem

In the output you will see the CSR in plain text. Copy the whole text starting with the “—–BEGIN CERTIFICATE REQUEST—–” line and use it for the certificate activation. Once the certificate is issued by the Certificate Authority, you can proceed with its installation.

The process is the same for all Linux distributions, including Amazon AMI Linux.

Note: Windows has a similar process which can be done this way.

WARNING: Please remember the following points before beginning the process:

Write down the directory where the CSR was generated, as the Private Key for the SSL will be saved there. You will need to know where the key is located in order to install the SSL.

If you are not sure which folder it is, you can check it with the pwd command:

find / -type f -name “*.csr”

or

find / -type f -name “*.pem”

(depending on what extension was used)

Generating CSR using PowerShell

This method is used on Windows-based machines as it already features the required command line tools, and a certificate request storage is created instead of a Private Key.

1) Create the configuration file example.inf (you can use any file name) on your Windows server with the CSR details following this example:

[NewRequest]
Subject = “/CN=*Common Name*/C=*Country*/ST=*State or Province*/L=*Locality or City*/O=*Company*/OU=*Organizational unit*”
Exportable = TRUE
KeyLength = *key size in bits*
KeySpec = 1
KeyUsage = 0xf0
MachineKeySet = TRUE
[RequestAttributes]
CertificateTemplate=”WebServer”
[Extensions]
OID = 1.3.6.1.5.5.7.3.1
OID = 1.3.6.1.5.5.7.3.2

Replace all values marked with ‘**’ with your actual details.

2) Save it and run the following command in cmd or PowerShell:

certreq -new example.inf csr.txt

3) Open the file with any text editor (we use Notepad in this example as it is always present on Windows) or use the following command:

notepad csr.txt

Note: If you plan to import the SSL using AWS certificate manager (ACM), it only supports 2048 and outdated 1024-bit keys.