Creating Certificate Signing Requests

I work on a (nearly) daily basis with digital certificates (end-user, and SSL certificates). These things get more, and more common these days. More and more webservices are being 'secured' by SSL certificates. The only problem is that the technicians who run the services don't know shit (well,  most of them do) about SSL and/or PKI. I don't blame them, because it tends to be a little complex.

SSL certificates can be generated as selfsigned certificates, or you might wanna get a commercial SSL certificate from Certificate Authorities like VeriSign, Thawte, GeoTrust, etc. Anyway, in every case, you need to generate a certificate signing request (CSR), and submit it to the Certificate Authority.

The problem is that there are some applications that stay in a pending mode if you generate a CSR, and wait for the resulting certificate to come back from the CA. This might take a couple of days. It would be a lot nicer if you can request the certificate on another platform, and import it in the application when you get the thing.
There are several ways to generate a CSR on the different platforms;

  • OpenSSL - equivalent to rocket science for most people, since it's a commandline tool
  • Via webserver tooling (IIS, JAVA Keytool, etc.)
  • And probably some other 'obscure' ways

But what if your application needs a SSL certificate, or your webserver is located on the other side of the world (and you have no way of accessing it directly)? How the hell do you generate a CSR? The Windows platform itself doesn't have any tools for creating certificates (only if you use IIS or have a CA running on the platform).

The solution (at least my solution) is XCA. This program provides the basic PKI certificate management activities through a user friendly interface. I use the program to host my own private CA, and I use it to create certificate signing requests for other purposes. Even storing other certificates (with provate keys) from other vendors is supported. And everything in the database is protected by a password.

XCA features include:

  • Generation of keypairs
  • Certificate Signing Request generation
  • Creation of (sub) CA's
  • Generation of CRL's
  • Creation of certificate templates
  • Export of certificates (with or without private keys) in various formats

The other advantage of XCA is that it's cross-platform. I use it on my OSX and Windows devices. And by using a shared medium (e.g. Dropbox), I can access the same database from different locations and platforms.

Posted on January 17, 2007 by Willem and filed under Personal, Security, Software and tagged xca PKI.