Reissuing an SSL Certificate using an RSA Signing Key
DNSimple provides SSL certificates using elliptic curve keys by default, but there are some situations or requirements where you still need to use an RSA key as the certificate signing key.
The RSA-signed certificates are available by generating a custom Certificate Signing Request (CSR) and using it while reissuing the SSL certificate.
Before starting
In this guide, we assume you have OpenSSL installed in your system. If you don’t have it available, you will need to install it:
- Using your favorite package manager: apt, dnf, brew, nuget, chocolatey, etc.
- Using the OpenSSL binaries.
- Finding other alternatives to generate the RSA private key and the CSR.
Generating an RSA private key
First, generate an RSA private key that will be used in the next steps to sign the CSR.
$ openssl genrsa -out KEY_FILE.pem 2048
Generating a Certificate Signing Request
Next, generate the CSR. In this example we’ll use the -subj
argument to the OpenSSL command. If you don’t specify it, you’ll be asked a few clarifying questions.
You’ll see the following abbreviations:
- C is for Country
- ST is for State
- L is for Location
- O is for Organization
- CN is for Common Name — this is especially important, as it must match the certificate CN.
$ openssl req -new -key KEY_FILE.pem -nodes -out CSR_FILE.pem -subj "/C=US/ST=FL/L=Melbourne/O=dnsimple/CN=subdomain.example.com"
Follow the regular process for reissuing a Standard SSL Certificate
Finally, follow the regular process for reissuing a Standard SSL Certificate. Make sure:
- The reason explains that you need a RSA-based certificate.
- The checkbox
I want to provide a custom CSR
is checked. - Copy the
CSR_FILE.pem
content into the text area.
Once the certificate is reissued, you will have to go through the steps of configuring, verifying, and installing the certificate to receive the certificate.