How to get a certificate from a CA?

Question

I need to get a certificate from a certificate authority with .crt extension. I used openssl commands but it generates a self-signed certificate which is not suitable for my use.

$ openssl genrsa -out client.key 4096
$ openssl req -new -x509 -text -key client.key -out client.cert

How can I obtain a certificate form a CA in Ubuntu 16.04? I need .key and .crt files.

Answer 1

These are the steps you would need to do to get a certificate signed by a CA.

1. Generate a Asymmetric Key Pair.

openssl genrsa -out localhost.key 2048

2. Generate a PKCS#10 (Certificate Signing Request) from the Key Pair.

openssl req -new -sha256 -key localhost.key -out localhost.csr

3. Send the above generated request to the CA (different CA's have different ways of receiving your request).

4. CA replies with a PKCS#7 (Certificate Chain) or just the signed certificate (you will usually get the entire certificate chain, but if you just got only the peer certificate, you can check with them where you can get the CA certificate chain to construct the chain yourself).

5. You can convert the above received PKCS#7 to PEM format

openssl pkcs7 -in localhost.p7r -inform DER -out localhost.pem -print_certs

6. Associate the above PEM certificate chain to the private key you generated in the step 1.

openssl pkcs12 -export -inkey localhost.key -in localhost.pem -name sslCertificate -out localhost.pfx

You now have a PKCS#12 keystore that you can use to secure your server.

So to answer you question, this is how you could proceed with step 3.

There are many well known Certificate Authorities out there (GeoTrust, Entrust, Verisign, GoDaddy, Comodo, etc, ...). Each CA could be different on their pricing depending on what kind of certificate you are requesting. You can visit their official web page(s) to know more about what they have to offer. Once you have decided which CA to go with, you use their service to request a certificate to be signed (usually online on their site).