Technical Tip: How to locally generate private key and CSR for SSL certificate signing request using openSSL tool

FortiWeb supports generating CSR for SSL certificate signing requests, but the private key will be stored within FortiWeb and does not support exporting the unencrypted private key out from FortiWeb.

It is not an issue if the private key and signed SSL certificate are only required to be installed in the FortiWeb. However, it will be problematic if the private key and signed SSL certificate are required to be installed on other devices/endpoints.

In this article, we will use the “openssl” tool in a Linux Subsystem to generate the private key and CSR.

1. Creating RSA type private key and CSR:

openssl req -newkey rsa:4096 -nodes -keyout <New-PKeyName>.key -out <New-CSRName>.csr

• req: Certificate Signing Request (CSR).
• new key: Generate a new key.
• rsa:4096: Generate a 4096-bit RSA key.
• nodes: No DES (encryption) on the new private key.
• keyout: Path or file name to save the private key file.
• out: Path or file name to save the CSR file.

2. Creating ECC-type private key and CSR:

openssl ecparam -out <New-PKeyName>.key -name prime256v1 -genkey

openssl req -new -key <New-PKeyName>.key -out <New-CSRName>.csr

• param: EC parameter manipulation and generation.
• out: Path or file name to save the key/CSR file.
• name: EC parameters with specified ‘short name’.
• genkey: Generate private key.
• req: Certificate Signing Request (CSR).
• new: Generate CSR.
• key: Refer to the created private key file name.

Upon executing the OpenSSL commands, it is then required to enter a series of information that will be incorporated into the certificate request:

The CSR file will be generated after completing the process. Open the CSR with a text editor and copy the CSR contents to submit to the SSL certificate Authority provider.

Example of a CSR file contents:

Related document:

Generating a certificate signing request