authX: USC PKI Lite CA
Generating a CSR Under Solaris

This page documents how a CSR for a host can be generated under Solaris. The resulting CSR should be emailed to the USC CA request queue for signing.

The USC PKI Lite CA can by policy sign only CSRs for hosts and/or persistent services within the usc.edu domain. A special arrangement has been set up to allow the USC PKI Lite CA to also sign CSRs for the isi.edu domain. If you have a CSR for the isi.edu domain, please send it to the ISI Registration Authority.

1. Generate a CSR using openssl req at the command line. The example below is for a host named quarens.usc.edu. The CSR will be put in the file quarens.csr and the private key will be put in the file quarens.key.

   Please note that the output of the openssl req -text has been wrapped for legibility in the example.

   
   
   quarens.usc.edu(1): openssl req -newkey rsa:1024 -nodes -out quarens.csr -keyout server.key
   Generating a 1024 bit RSA private key
   ......................++++++
   .++++++
   writing new private key to 'server.key'
   Enter PEM pass phrase:
   Verifying - Enter PEM pass phrase:
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [US]:
   State or Province Name (full name) [California]:
   Locality Name (eg, city) [Los Angeles]:
   Organization Name (eg, company) [University of Southern California]:
   Organizational Unit Name (eg, section) [Information Services Division]:
   Common Name (eg, YOUR name) []:quarens.usc.edu
   Email Address []:shelley@usc.edu
   
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:.
   An optional company name []:.
   quarens.usc.edu(2): ^D
   script done on Fri 04 Jun 2004 08:46:15 AM PDT
   quarens.usc.edu(4): 
   quarens.usc.edu(5): more quarens.csr 
   -----BEGIN CERTIFICATE REQUEST-----
   MIICBzCCAXACAQAwgcYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
   MRQwEgYDVQQHEwtMb3MgQW5nZWxlczEqMCgGA1UEChMhVW5pdmVyc2l0eSBvZiBT
   b3V0aGVybiBDYWxpZm9ybmlhMSYwJAYDVQQLEx1JbmZvcm1hdGlvbiBTZXJ2aWNl
   cyBEaXZpc2lvbjEYMBYGA1UEAxMPcXVhcmVucy51c2MuZWR1MR4wHAYJKoZIhvcN
   AQkBFg9zaGVsbGV5QHVzYy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
   APWfIdXJe85nk0Nzl8bA489Onlj0olE5mCFApF9aqTATlfxQ2Wxu5UhnzdIfXmqC
   PdN5qo7+qdFeN8FkHeZkfsMUv6nvreF1J+V68zvDznYmbRtsOa/Hc4WsqVCKAS+h
   ut0qU7WUWUKivRtXORfVoBSdy4lyaNr0Mx6xsk1qY5TnAgMBAAGgADANBgkqhkiG
   9w0BAQQFAAOBgQCYaeYiIofMlpopxr9Xny58YV+cXgU6gxj+YW0oMdLqw4B3C6pQ
   G6f2kIXeYK5seGfspR+n4s0U4EZ1q1C8jeC4kyjPuVynaDF5/A0bTT6AOvehguWp
   u6uVCaFTZyCJHfsG/Y7NP8dW7D2F3PeUk2Shq1dzqZzp25i0o1H1OBpZSg==
   -----END CERTIFICATE REQUEST-----
   quarens.usc.edu(6): 
   quarens.usc.edu(6): openssl req -text -noout -in quarens.csr
   Certificate Request:
       Data:
           Version: 0 (0x0)
           Subject: C=US, ST=California, L=Los Angeles, 
                    O=University of Southern California, 
                    OU=Information Services Division, 
                    CN=quarens.usc.edu/emailAddress=shelley@usc.edu
           Subject Public Key Info:
               Public Key Algorithm: rsaEncryption
               RSA Public Key: (1024 bit)
                   Modulus (1024 bit):
                       00:f5:9f:21:d5:c9:7b:ce:67:93:43:73:97:c6:c0:
                       e3:cf:4e:9e:58:f4:a2:51:39:98:21:40:a4:5f:5a:
                       a9:30:13:95:fc:50:d9:6c:6e:e5:48:67:cd:d2:1f:
                       5e:6a:82:3d:d3:79:aa:8e:fe:a9:d1:5e:37:c1:64:
                       1d:e6:64:7e:c3:14:bf:a9:ef:ad:e1:75:27:e5:7a:
                       f3:3b:c3:ce:76:26:6d:1b:6c:39:af:c7:73:85:ac:
                       a9:50:8a:01:2f:a1:ba:dd:2a:53:b5:94:59:42:a2:
                       bd:1b:57:39:17:d5:a0:14:9d:cb:89:72:68:da:f4:
                       33:1e:b1:b2:4d:6a:63:94:e7
                   Exponent: 65537 (0x10001)
           Attributes:
               a0:00
       Signature Algorithm: md5WithRSAEncryption
           98:69:e6:22:22:87:cc:96:9a:29:c6:bf:57:9f:2e:7c:61:5f:
           9c:5e:05:3a:83:18:fe:61:6d:28:31:d2:ea:c3:80:77:0b:aa:
           50:1b:a7:f6:90:85:de:60:ae:6c:78:67:ec:a5:1f:a7:e2:cd:
           14:e0:46:75:ab:50:bc:8d:e0:b8:93:28:cf:b9:5c:a7:68:31:
           79:fc:0d:1b:4d:3e:80:3a:f7:a1:82:e5:a9:bb:ab:95:09:a1:
           53:67:20:89:1d:fb:06:fd:8e:cd:3f:c7:56:ec:3d:85:dc:f7:
           94:93:64:a1:ab:57:73:a9:9c:e9:db:98:b4:a3:51:f5:38:1a:
           59:4a
   quarens.usc.edu(7):
   

2. Send the CSR in an email to the CA request queue.
   The CSR in the example above appears as the output of the more command, beginning with the line -----BEGIN CERTIFICATE REQUEST---- and ending with the line -----END CERTIFICATE REQUEST-----.
   If you normally have html formatting turned on for sending email, turn off html formatting to send the email containg the CSR.
3. If your email containing the CSR is not signed using a key trusted by the USC PKI Lite CA administrators, arrange for in-person verification.
   You will need to bring at least one picture ID (University ID works) plus a text copy of the CSR with you when you come for in-person verification.
   (See PGP-signed email for setting up trusted signed email.)
4. Once the CSR has been verified, it will be dispatched for signing. You will receive the signed certificate by return email.