5.2.7 Usage examples of the keygen and certutil commands

This subsection provides examples of how to use the keygen and certutil commands. The information provided in the following examples, such as for the Common Name item, is fictitious, and any connection with real individuals is purely coincidental.

Organization of this subsection
(1) Generating a private key (keygen command)
(2) Creating a Certificate Signing Request (CSR) (certutil command)

(1) Generating a private key (keygen command)

The following example shows how to use the keygen command to generate a private key.

Usage example

# keygen -rand file -des3 -out httpsdkey.pem -bits 1024
Adding 'entropy' into random generator
372 random bytes loaded
RSA Key Generation e= 65537, bits= 1024, primes= 2
Enter PEM passphrase:                        <--- Enter a password.
Verifying password - Enter PEM passphrase:   <--- Re-enter the password.
Key generation successful

#

Contents of the private key
The contents of the private key are as follows:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0150E8E9D7CFAD87

3iQQl5s4ZSjup+XdoHwXj1lyERYFLczMMt5HNbp0+NPFz8f9iRSeIHZAPZIFG4DM
ajlmwoH5ovB7GbCUXhnb9/sj6biD38abyqON3XDoXB0/h6RTNx4bfIR6H0/3EMsF
dNZzC5g2kiHppSuToVe8m6bAM+XNqt6Fq684muZ7t9m4/gVk0nm7ac/OdUuqTN5v
DUE2VPav9OnPd+ZM4s4W31SUs+3b1/UJ2UXFmJFwd6SJ58IKa/d179tHTHndawAE
T1yHEOpAiOOjFj8v3FzHGtqnGMU4dBHsc8PbJIHxJGxPH13X0v69aypzFwi/iNXP
mQmFIxl3KJmPVkuXeNksIkELGJiWuXIJsKVueIWxDoQjHRezOl0nvjh74mJkknSB
GXJMdZfC2IJkHRpMqiliT84WlFJaSobtRvtAfTi/Zq3g/kjvIs451HAQ3m3AUwaa
JjbAqOa2NuTv0URoNKUDKJWK+DQmYLwBLux2hqjpHWxaHMrndqUY8VqU7Nj9SPn3
H7nwu49krgw+/ZG/Y3u+6SRsXLbRUimMtStlKRTm3ECmeFRzm4Csjch/ysGNO0hj
AZxQNdD4tQapNmh164CB+XUEPLjEi3QiT56TYvGzNcSn59vtvY8351eGxXV2++Qf
U8nK7x+6I8Relt1UldDE7h2jHqPWgdHxrzlR6/fwZK4kamQH8qSUfeJr8uVyyr85
izpFPX1/jwueEFLWVmoGu95gkxVRLUotFMWUc+z5FTiUmfDGD/IgCIUB/v54nOWh
X7YVUeWz8W2WZst2P4qm4v71DOEeWRgPIgS1jCVRI6WUTPKGPi+USQ==
-----END RSA PRIVATE KEY-----

(2) Creating a Certificate Signing Request (CSR) (certutil command)

This subsection explains how to use the certutil reqgen command to create a Certificate Signing Request (CSR). Submit the created CSR file to a CA to receive a signed certificate. Note that if you set a password when creating the private key of the Web server, you are also requested to enter the private key password when creating the CSR.

Specify the items and contents according to the instructions provided by the CA to which the CSR is submitted.

Usage example

# certutil reqgen -sign SHA1 -key httpsdkey.pem -out httpsd.csr
Enter PEM passphrase:           <--- Enter the private key password.
Country Name (2 letter code) :JP
State or Province Name (full name) :Kanagawa
Locality Name (eg, city) :Yokohama-shi
Organization Name (eg, company) :HITACHI
Organizational Unit Name (eg, section) :WebSite
Common Name (eg, YOUR name) :www.hws.hitachi.co.jp
Email Address :
Subject: C=JP,ST=Kanagawa,L=Yokohama-shi,O=HITACHI,OU=WebSite,CN=www.hws.hitachi.co.jp
A certificate signing request was successfully created
#

CSR format
The CSR format is as follows:

-----BEGIN CERTIFICATE REQUEST-----
MIIBuzCCASQCAQAwezEeMBwGA1UEAxMVd3d3Lmh3cy5oaXRhY2hpLmNvLmpwMRAw
DgYDVQQLEwdXZWJTaXRlMRAwDgYDVQQKEwdISVRBQ0hJMRUwEwYDVQQHEwxZb2tv
aGFtYS1zaGkxETAPBgNVBAgTCEthbmFnYXdhMQswCQYDVQQGEwJKUDCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEArZZyYumQcY8h4AppAz447H9R+Srzrt08eSzr
yZT8HYrDXz9I8XH6bMMahO4M6u2YI9iVzepQU1uI0f8bCwkFageBWwVQmDwcyJYf
1kY5X+2OgFEYV8CTu7I+A70VlYHobpM/FlBkzUVWD9/fTob0ALYNF9eTbFAL0c6U
sJBZfSsCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAEiq+yGSVblaOuljyrAei9r3
n5mXtE5KXzQRz0cy6N5BaEV0l9KOtUaTCallsZmQdZ/6dZRSaE27xf/2UF3UxlCC
0+qrG10iQgDe5huSsqBnGGghJB2OPVUJh5S7YC6Ub6HRdOzq7H+D0qvsBC2C0dA/
cCkp8UsRzIjlDW8SVBZO
-----END CERTIFICATE REQUEST-----