Quick guide to certificate creation

Open SSL command: openssl genrsa -out privatekey.key 2048

• Change "privatekey.key" to a desired value.
• The value you choose specifies the name of the file where the private key will be written.
• The certificate service currently only supports 2048-bit keys.
• The command creates a new private key in base64 format in a file named "privatekey.key", in a folder of your choice on your workstation.
  • The private key must be kept secret and its creation on the workstation is not recommended. For example, when using cloud services, it is recommended to create the private key directly in a secure location.

Open SSL command: openssl req -new -key privatekey.key -out examplecsr.csr

• Replace the file name "privatekey.key" with the name you used before when you created the private key.
• Change "examplecsr.csr" to a desired value. The value you choose will determine the name of the file where the CSR will be written.
• The CSR will be generated using the private key you created earlier.
• The command creates a new CSR in base64 format named "examplecsr.csr" in the folder of your choice on your computer.
• Use the base64 formatted CSR inside the file to retrieve the certificate using the Certificate Service application or retrieve the certificate using the technical PKI interface.
  • The certificate retrieved through the application is in the .pem file format. The certificate file can also be saved in .crt file format if desired. Either file format can be used when creating a .pfx file with the Open SSL command.
  • When using the PKI web service, the returning signed certificate is in the <certificate> block of the return message at the beginning of the message.
  • Note that at the end of the message, within the <signature> block, in the <x509certificate> block, is the return message’s signing certificate. This should not be confused with the certificate signed from the CSR in the <certificate> block.

Open SSL command: openssl pkcs12 -export -out certificatepfx.pfx -inkey privateKey.key -in certificate.crt

• The PKCS#12 or pfx file is a binary representation used to store cryptographic objects such as private keys, certificates and certificate chains in a single encrypted file.
• Change the text "certificatepfx.pfx " to a desired value. The value you select will determine the name of the pfx certificate file.
• Change the file name "privatekey.key" to the same name you used to create the private key before.
• Change the name of the file "certificate.crt" to the name where you saved the certificate retrieved from the Certificate Service.
• This command creates a pfx/PKCS12 file from the retrieved certificate file and private key, which is then inserted into the software for interface calls.
• OpenSSL also suggests adding an additional password to the file, which you can set if you want.
• The generated pfx/PKCS12 file contains a private key, so this file must also be kept secret as well.

• Renewing a certificate basically means the same thing as ordering a new certificate technically via the PKI web service interface. Renewal can be done up to 60 days before the expiry of the current certificate. Once expired, the certificate cannot be renewed and a new certificate must be ordered from the Certificate Service.
• Before renewing a certificate, a new private key is generated to create a new CSR. The original private key used for the existing certificate can no longer be used to create a new CSR.
• The renewal message sent to the PKI web service interface is signed with the original private key of the valid certificate. The signature serves as a strong authentication of the requestor for the certificate renewal. If the certificate expires, a new certificate must be ordered from the Certificate Service.

For more information, read here: Technical instructions - vero.fi