Skip to main content

How to generate a PKCS#10 request for your software can be found in the corresponding documentation for your software. For the DFN-PKI, you can generate this file with the software 'openssl', for example, using the following commands:

For UNIX users:

  • Server certificate (e.g. for the server "testserver.hrz.tu-freiberg.de"):

    openssl req -newkey rsa:2048 -nodes -keyout key_private.pem -out request.pem -subj "/C=DE/ST=Sachsen/L=Freiberg/O=Technische Universitaet Bergakademie Freiberg/CN=testserver.hrz.tu-freiberg.de/emailAddress="

  • User certificate (e.g. for user "Max Muster").e.g. for the user "Max Mustermann"):

    openssl req -newkey rsa:2048 -nodes -keyout key_private.pem -out request.pem -subj "/C=DE/ST=Sachsen/L=Freiberg/O=Technische Universitaet Bergakademie Freiberg/CN=Max Mustermann/emailAddress="

  • Group certificate (e.g. for the "Spatial planning" group).e.g. for the "Spatial planning" group):

    openssl req -newkey rsa:2048 -nodes -keyout key_private.pem -out request.pem -subj "/C=DE/ST=Sachsen/L=Freiberg/O=Technische Universitaet Bergakademie Freiberg/CN=GRP: Raumplanung/emailAddress="

    A group can also contain a list of users, e.g. GRP: Max Mustermann, Erika Mustermann.

  • Pseudonym certificate (e.g. for the pseudonym "My pseudonym"):

    openssl req -newkey rsa:2048 -nodes -keyout key_private.pem -out request.pem -subj "/C=DE/ST=Sachsen/L=Freiberg/O=Technische Universitaet Bergakad emie Freiberg/CN=PN:Mein Pseudonym/emailAddress="

For Windows users:

First you must change to the folder with the openssl software, e.g.:

cd C:\OpenSSL-Win32\bin

  • Server certificate (e.g. for the server "testserver.hrz.tu-freiberg.de"):

    openssl req -newkey rsa:2048 -nodes -keyout key_private.pem -out request.pem -subj "/C=DE/ST=Sachsen/L=Freiberg/O=Technische Universitaet Bergakademie Freiberg/CN=testserver.hrz.tu-freiberg.de/emailAddress=" -config openssl.cfg

  • User certificate (e.g. for the user "Max Mustermann"):

    openssl req -newkey rsa:2048 -nodes -keyout key_private.pem -out request.pem -subj "/C=DE/ST=Sachsen/L=Freiberg/O=Technische Universitaet Bergakademie Freiberg/CN=Max Mustermann/emailAddress=" -config openssl.cfg

  • Group certificate (e.g. for the "Spatial planning" group).e.g. for the "Spatial planning" group):

    openssl req -newkey rsa:2048 -nodes -keyout key_private.pem -out request.pem -subj "/C=DE/ST=Sachsen/L=Freiberg/O=Technische Universitaet Bergakademie Freiberg/CN=GRP: Raumplanung/emailAddress=" -config openssl.cfg

    A group can also contain a list of users, e.g. GRP: Max Mustermann, Erika Mustermann.

  • Pseudonym certificate (e.g. for the pseudonym "My pseudonym"):

    openssl req -newkey rsa:2048 -nodes -keyout key_private.pem -out request.pem -subj "/C=DE/ST=Sachsen/L=Freiberg/O=Technische Universitaet Bergakad emie Freiberg/CN=PN:Mein Pseudonym/emailAddress=" -config openssl.cfg

How to do this:

  • The -nodes option means that the private key itself is not encrypted. This is often helpful, especially with server certificates.
  • The key length (here 2048; this is the minimum) can also be set to 3072, 4096 or 8192.
  • The file "key_private.pem" contains the generated private key and the file "request.pem" contains your request. The private key must be protected against theft and loss!
  • You can display the request with the command openssl req -text -in request.pem.