Skip to main content

security certificate generate-csr

Contributors
Suggest changes

Generate a Digital Certificate Signing Request

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command generates a digital certificate signing request and displays it on the console. A certificate signing request (CSR or certification request) is a message sent to a certificate authority (CA) to apply for a digital identity certificate.

Parameters

[-common-name <text>] - FQDN or Custom Common Name

This specifies the desired certificate name as a fully qualified domain name (FQDN) or custom common name or the name of a person. The supported characters, which are a subset of the ASCII character set, are as follows:

  • Letters a through z, A through Z

  • Numbers 0 through 9

  • Asterisk (*), period (.), underscore (_) and hyphen (-)

The common name must not start or end with a "-" or a ".". The maximum length is 253 characters.

{ [-size <size of requested certificate in bits>] - (DEPRECATED)-Size of Requested Certificate in Bits

This specifies the number of bits in the private key. A larger size value provides for a more secure key. The default is 2048. Possible values include 512 , 1024 , 1536 , and 2048 .

Note This parameter has been deprecated in ONTAP 9.8 and may be removed in future releases of Data ONTAP. Use the security-strength parameter instead.
| [-security-strength <bits of security strength>] - Security Strength in Bits }

Use this parameter to specify the minimum security strength of the certificate in bits. The security bits mapping to RSA and ECDSA key length, in bits, are as follows:

            Size      RSA Key Length       Elliptic Curve Key Length
            112       2048                 224
            128       3072                 256
            192       4096                 384
Note: FIPS supported values are restricted to 112 and 128. For ECDSA, TLSv1.3 requires key length of 256 or greater.
[-algorithm <Asymmetric key generation algorithm>] - Asymmetric Encryption Algorithm

Use this parameter to specify the asymmetric encryption algoithm to use for generating the public/private key for the certificate signing request. Algorithm values can be RSA or EC. Default value is RSA.

[-country <text>] - Country Name

This specifies the country where the Vserver resides. The country name is a two-letter code. The default is US. Here is the list of country codes:
Country Codes

[-state <text>] - State or Province Name

This specifies the state or province where the Vserver resides.

[-locality <text>] - Locality Name

This specifies the locality where the Vserver resides. For example, the name of a city.

[-organization <text>] - Organization Name

This specifies the organization where the Vserver resides. For example, the name of a company.

[-unit <text>] - Organization Unit

This specifies the unit where the Vserver resides. For example, the name of a section or a department within a company.

[-email-addr <mail address>] - Contact Administrator's Email Address

This specifies the email address of the contact administrator for the Vserver.

[-hash-function <hashing function>] - Hashing Function

This specifies the cryptographic hashing function for signing the certificate. The default is SHA256. Possible values include SHA224 , SHA256 , SHA384 , and SHA512 .

[-key-usage <Certificate key usage extension>,…​] - Key Usage Extension

Use this parameter to specify the key usage extension values. The default values are: digitalSignature , keyEncipherment . Possible values include:

  • digitalSignature

  • nonRepudiation

  • keyEncipherment

  • dataEncipherment

  • keyAgreement

  • keyCertSigning

  • cRLSigning

  • encipherOnly

  • decipherOnly

  • critical

[-extended-key-usage <Certificate extKeyUsage extension>,…​] - Extended Key Usage Extension

Use this parameter to specify the extended key usage extension values. The default values are: serverAuth , clientAuth . Possible values include:

  • serverAuth

  • clientAuth

  • codeSigning

  • emailProtection

  • timeStamping

  • OCSPSigning

  • critical

[-rfc822-name <mail address>,…​] - Email Address SAN

Use this parameter to specify the Subject Alternate Name extension - a list of rfc822-names (email addresses).

[-uri <text>,…​] - URI SAN

Use this parameter to specify the Subject Alternate Name extension - a list of URIs.

[-dns-name <text>,…​] - DNS Name SAN

Use this parameter to specify the Subject Alternate Name extension - a list of DNS names.

[-ipaddr <IP Address>,…​] - IP Address SAN

Use this parameter to specify the Subject Alternate Name extension - a list of IP addresses.

Examples

This example creates a certificate-signing request with a 2048-bit RSA private key generated by the SHA256 hashing function for use by the Engineering group in IT at a company whose custom common name is www.example.com , located in Durham, NC, USA. The email address of the contact administrator who manages the Vserver is web@example.com The request also specifies the subject alternative names, key-usage and extended-key-usage extensions.

cluster-1::> security certificate generate-csr -common-name www.example.com -algorithm RSA -hash-function SHA256 -security-strength 128 -key-usage critical,digitalSignature,keyEncipherment -extended-key-usage serverAuth,clientAuth -country US -state NC -locality Durham -organization IT -unit Engineering -email-addr web@example.com -rfc822-name example@example.com -dns-name shop.example.com , store.example.com

Certificate Signing Request :
-----BEGIN CERTIFICATE REQUEST-----
MIIEWDCCAsACAQAwgYgxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAk5DMQ8wDQYDVQQHEwZEdXJoYW0xCzAJBgNVBAoTAklU
MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEeMBwGCSqGSIb3DQEJARYPd2ViQGV4YW1w
bGUuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuo86Jg/szhws
ykYiEXvRaf/j2jJArJMoZby9Z/yINsowe30Xbn5wnfvwiwICUCPwD1e3jhK3TrWH
rNRn/+MqE+jQA7yAdufYxD537cDcT46ihkajISe0Ei93yf6IKmvUAvmJvQ3R7Z4E
QCOWHj56yQ+LXj36bYdwa74S8u8lpCs3Ywx8fgrh/v6H0rnlKDQSQuFR35u7ZZym
tRA7EJMY62f9ALgcFNhQPuP6pjc8aP7Tv7BKXAninryDDcoMdW8UczfTPgzCDh5z
S++eNP3s/7cGfRSQ8aXnDTVQLYpusrdDgVwZXXgu+ZPoZuCf2AYBT+/rdq3VkgWu
QM+mGRMB53O0ff4QOi+SVcXSWXq32wzciv1KsW/iB9h2T+kVd/8Z7ESeYLqFxhY+
0nwacskMRGxOuTLgx+XH+/EntjrI4rjF9/ShYCIcy8vqp1OxFaPClu96ebnbiEOu
y6RvCJ2egcM6OeRbHWB5fIJ0ZZ3crdjz/d1z4ktBuG7E4cUYkEvvAgMBAAGggYkw
gYYGCSqGSIb3DQEJDjF5MHcwRgYDVR0RAQH/BDwwOoETZXhhbXBsZUBleGFtcGxl
LmNvbYIQc2hvcC5leGFtcGxlLmNvbYIRc3RvcmUuZXhhbXBsZS5jb20wDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG
9w0BAQsFAAOCAYEAh0kOsRy5cCTnFRIWBhBrFFvQhpZIlsoeelNW6JlkE0/ULcAj
JevBx8UibY48D2Wn0nEGle9T3ZeDlg+n66xr/OUfsrENm5ORy5Ndvubkkz0t4KF5
Z2SnwPVIcX2b6ID2xhFAny2S58Adwo7uTpLytidqFj026/KcuyVZUEF9HuJcQGE8
+LMfliCkm6rI2h1ncy2sV6vtDo9GlVscTYLghisHp1aTXVPrr6Q+1OM8lTot8i71
DmZ7kRyxCDlu20XxxV+p2cm4QQVHXbw0XrKAOL2jCBBiYOSWM/BvwWIliVGD6NLg
WK7ZpyHSFjDH0pUlqJCIs079W6JDhiYvtB2xizqmg8oyABUESMUckHGeymr92mcO
JbSyeTE66Pek+Gwia6ZMG7jcznfSr31+7dShLix9kjGsKUffHTiZVySaYjny/+Aq
Seg3Fpusq25ki9D/NMnbifXraL+LbX/WNLS3nA79rp3+VcOoGBponT4i1fsxn+Bv
5RTT3nhT8BlcTe1d
-----END CERTIFICATE REQUEST-----

Private Key :
-----BEGIN PRIVATE KEY-----
MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQC6jzomD+zOHCzK
RiIRe9Fp/+PaMkCskyhlvL1n/Ig2yjB7fRdufnCd+/CLAgJQI/APV7eOErdOtYes
1Gf/4yoT6NADvIB259jEPnftwNxPjqKGRqMhJ7QSL3fJ/ogqa9QC+Ym9DdHtngRA
I5YePnrJD4tePfpth3BrvhLy7yWkKzdjDHx+CuH+/ofSueUoNBJC4VHfm7tlnKa1
EDsQkxjrZ/0AuBwU2FA+4/qmNzxo/tO/sEpcCeKevIMNygx1bxRzN9M+DMIOHnNL
7540/ez/twZ9FJDxpecNNVAtim6yt0OBXBldeC75k+hm4J/YBgFP7+t2rdWSBa5A
z6YZEwHnc7R9/hA6L5JVxdJZerfbDNyK/Uqxb+IH2HZP6RV3/xnsRJ5guoXGFj7S
fBpyyQxEbE65MuDH5cf78Se2OsjiuMX39KFgIhzLy+qnU7EVo8KW73p5uduIQ67L
pG8InZ6Bwzo55FsdYHl8gnRlndyt2PP93XPiS0G4bsThxRiQS+8CAwEAAQKCAYBW
fqtWFFIVaWi2y3dmJcL840AP3PaxTHURXkVund3FkU6TIncnqoWqKbHnsSHDaDYX
1vJqc3D7lBx4W+5v7DGJE4rGALKK7olIyzGtUJqUZCwkF0Hw0EijmdBvHYyiJmYg
jvN2bJ7lDTspRZaHJS6mY4eZRSEDgST1PyXn7krEZ6kBSju58G/BWt88KyX80s+Y
pIDiLIDg5pVAI2tPDvQhyI+7sqCKZZQm5GpEgB2JDIS+PgzryUWBlSMp1ICcPcgx
rarFZQi1Ne7qrp6FfKvPAO5XLyI0xhgm8fCMJUpxmEb80XY4FeRDzB42a0Z/YL0P
HhpWAI4ZRsDyDd5S7jwLZQ3Hl9WsKvj2/FRU6hWTP+maH/Vel35iLkygfZWUAjNY
F6B0SoBBd9bVeKDODXrD/CwVbuaKZGMaVOenZbczmFUVSi4HZGyqVRxX6WIxVoD0
MZXwWUoWZ32C6II3vp/ReAsouhCnKDKhqfrvH58xF82FTMMXBZ/kDy7k5IySylkC
gcEA4tpiV1eKzC/ft0sPUNmZB/snHfXC+xohzTygCg4L1Rf8zjDnUT/o9D8SRe1/
crkG7ZcjKvIdPz0tatyjyNMsZ9TDISiAJQJ8Et1+jBP0uy2qG+ab+Ub761BR5TX0
O78UcmtEyxaaDZsESWj+qYerG4E7zGZiTscTe2Jma5fPlS1ekyfNzk1GBtya9bIM
r991o/PahSmCz5iPxf4avYM/vQm2p+wIk+o6ZhJIAUlRFrCv8y9lYivQjw+tZA+G
bdE7AoHBANKHg0Jb5BLJmN/5/PLkkELhaZG+UNUngtm46dm/84+sqtdTcUHpqdHv
M/skRYDVERmI50QZ2HmzVC8J+zzs9r01VNNA+Tzcoi3eB3FPdDYPTDtLSzRfsC82
kix8d2uVs+rfmvKwT0XucNvMQjUyYDII7IJln1iIJp2XQZaNleqgyi65kni+6FrQ
EJ9gVD4PtCkX7rKo8csMITe6n+HZIzFpOY6BX0HU/4VGa+RQHGfGIdfKDOJ5AtyG
RPYVvZ1E3QKBwE520sT7FpsBhBPV9no0iWXlTOZj9wj7RO3EJmbT7OvL3DlFWP0V
afHxTtS5DPgVX3wWZqeYDt2sv2TS5CO2Rwmy4bs6Uvh6H4g27GpvDJshdFEqNpDG
KKR/p5PsUYnI0b2xtJ26N5a1I4pwsoTY1CozTQep8h7lZKusoVhdrgMfKjMj9V+C
AtKkw0RwTUsXs4z973tXnFNJpZEKDx21o/oyvebfESh4P7LGZ/lp7o42luU6Y4rN
NNoGxiZx6EFbuQKBwGbMltJTTmXCHKzZQ6NS6gJOUR9CX/QFLAamHUIfUY3JUU59
RyNZNnv1IluyVWHYKFZgnBSLzkF2yFeDtzMDvmObZAUXh9wpG+Prs5SnqGYxSBb3
6Av14XDcY7nnOOTGn6jDcMSqRLsv99nLvlR9ea1U4C+38XvoV3rB/dvG3PpJcxAn
uxbMmWamjEdWYSxAvMcIEZ0Zk5+DF8E/loxQW7fn2pv0HhBmMjLgtRQx7fzaKXJW
Db6UOkp2IbxL11+w3QKBwDloDgwB7ukGyFHf3RKy3YX0en1WGBesXONf1m2fjwOU
nojccfaGwAUdb6m60JuZFhJ3qZ4ecoloY4GxIKV5krvBg1buow/aqDDkKmVVYNO6
FUuXp+BbTBSxjfftSaog7y5Db5aecLXU5FLE+sVlrhp17s9h8Ur+O04SytSVh9JS
SkzHYv+4GybZqmOeF2U+whib8JXD2bJkSfNI1dZZhKVqoTUQfEAE3VFY0EHkVQwk
rLHmjspsUjKc4BKfVRGWJg==
-----END PRIVATE KEY-----

Note: Keep a copy of your certificate request and private key for future
reference.