security certificate generate-csr
Generate a Digital Certificate Signing Request
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
This command generates a digital certificate signing request and displays it on the console. A certificate signing request (CSR or certification request) is a message sent to a certificate authority (CA) to apply for a digital identity certificate.
Parameters
- [-common-name <text>] - FQDN or Custom Common Name
- This specifies the desired certificate name as a fully qualified domain name (FQDN) or custom common name or the name of a person. The supported characters, which are a subset of the ASCII character set, are as follows:
- Letters a through z, A through Z
- Numbers 0 through 9
- Asterisk (*), period (.), underscore (_) and hyphen (-)
- { [-size <size of requested certificate in bits>] - (DEPRECATED)-Size of Requested Certificate in Bits
- This specifies the number of bits in the private key. A larger size value provides for a more secure key. The default is 2048. Possible values include 512, 1024, 1536, and 2048.NoteThis parameter has been deprecated in ONTAP 9.8 and may be removed in future releases of Data ONTAP. Use the security-strength parameter instead.
- | [-security-strength <bits of security strength>]} - Security Strength in Bits
- Use this parameter to specify the minimum security strength of the certificate in bits. The security bits mapping to RSA and ECDSA key length, in bits, are as follows:Note: FIPS supported values are restricted to 112 and 128.
Size RSA Key Length Elliptic Curve Key Length 112 2048 224 128 3072 256 192 4096 384 - [-algorithm <Asymmetric key generation algorithm>] - Asymmetric Encryption Algorithm
- Use this parameter to specify the asymmetric encryption algoithm to use for generating the public/private key for the certificate signing request. Algorithm values can be RSA or EC. Default value is RSA.
- [-country <text>] - Country Name
- This specifies the country where the Vserver resides. The country name is a two-letter code. The default is US. Here is the list of country codes: Country Codes
- [-state <text>] - State or Province Name
- This specifies the state or province where the Vserver resides.
- [-locality <text>] - Locality Name
- This specifies the locality where the Vserver resides. For example, the name of a city.
- [-organization <text>] - Organization Name
- This specifies the organization where the Vserver resides. For example, the name of a company.
- [-unit <text>] - Organization Unit
- This specifies the unit where the Vserver resides. For example, the name of a section or a department within a company.
- [-email-addr <mail address>] - Contact Administrator's Email Address
- This specifies the email address of the contact administrator for the Vserver.
- [-hash-function <hashing function>] - Hashing Function
- This specifies the cryptographic hashing function for signing the certificate. The default is SHA256. Possible values include SHA1, SHA256 and MD5.
- [-key-usage <Certificate key usage extension>, ...] - Key Usage Extension
- Use this parameter to specify the key usage extension values. The default values are: digitalSignature, keyEncipherment. Possible values include:
- digitalSignature
- nonRepudiation
- keyEncipherment
- dataEncipherment
- keyAgreement
- keyCertSigning
- cRLSigning
- encipherOnly
- decipherOnly
- [-extended-key-usage <Certificate extKeyUsage extension>, ...] - Extended Key Usage Extension
- Use this parameter to specify the extended key usage extension values. The default values are: serverAuth, clientAuth. Possible values include:
- serverAuth
- clientAuth
- codeSigning
- emailProtection
- timeStamping
- OCSPSigning
- [-rfc822-name <mail address>, ...] - Email Address SAN
- Use this parameter to specify the Subject Alternate Name extension - a list of rfc822-names (email addresses).
- [-uri <text>, ...] - URI SAN
- Use this parameter to specify the Subject Alternate Name extension - a list of URIs.
- [-dns-name <text>, ...] - DNS Name SAN
- Use this parameter to specify the Subject Alternate Name extension - a list of DNS names.
- [-ipaddr <IP Address>, ...] - IP Address SAN
- Use this parameter to specify the Subject Alternate Name extension - a list of IP addresses.
Examples
This example creates a certificate-signing request with a 2048-bit RSA private key generated by the SHA256 hashing function for use by the Engineering group in IT at a company whose custom common name is www.example.com, located in Durham, NC, USA. The email address of the contact administrator who manages the Vserver is web@example.com The request also specifies the subject alternative names, key-usage and extended-key-usage extensions.
cluster-1::> security certificate generate-csr <kbd className="ph userinput nolinebreak">-common-name</kbd> www.example.com
<kbd className="ph userinput nolinebreak">-algorithm</kbd> RSA <kbd className="ph userinput nolinebreak">-hash-function</kbd> SHA256 <kbd className="ph userinput nolinebreak">-security-strength</kbd> 128
<kbd className="ph userinput nolinebreak">-key-usage</kbd> critical,digitalSignature,keyEncipherment <kbd className="ph userinput nolinebreak">-extended-key-usage</kbd> serverAuth,clientAuth
<kbd className="ph userinput nolinebreak">-country</kbd> US <kbd className="ph userinput nolinebreak">-state</kbd> NC <kbd className="ph userinput nolinebreak">-locality</kbd> Durham
<kbd className="ph userinput nolinebreak">-organization</kbd> IT <kbd className="ph userinput nolinebreak">-unit</kbd> Engineering <kbd className="ph userinput nolinebreak">-email-addr</kbd> web@example.com
<kbd className="ph userinput nolinebreak">-rfc822-name</kbd> example@example.com <kbd className="ph userinput nolinebreak">-dns-name</kbd> shop.example.com,store.example.com
Certificate Signing Request :
-----BEGIN CERTIFICATE REQUEST-----
MIIEWDCCAsACAQAwgYgxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAk5DMQ8wDQYDVQQHEwZEdXJoYW0xCzAJBgNVBAoTAklU
MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEeMBwGCSqGSIb3DQEJARYPd2ViQGV4YW1w
bGUuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuo86Jg/szhws
ykYiEXvRaf/j2jJArJMoZby9Z/yINsowe30Xbn5wnfvwiwICUCPwD1e3jhK3TrWH
rNRn/+MqE+jQA7yAdufYxD537cDcT46ihkajISe0Ei93yf6IKmvUAvmJvQ3R7Z4E
QCOWHj56yQ+LXj36bYdwa74S8u8lpCs3Ywx8fgrh/v6H0rnlKDQSQuFR35u7ZZym
tRA7EJMY62f9ALgcFNhQPuP6pjc8aP7Tv7BKXAninryDDcoMdW8UczfTPgzCDh5z
S++eNP3s/7cGfRSQ8aXnDTVQLYpusrdDgVwZXXgu+ZPoZuCf2AYBT+/rdq3VkgWu
QM+mGRMB53O0ff4QOi+SVcXSWXq32wzciv1KsW/iB9h2T+kVd/8Z7ESeYLqFxhY+
0nwacskMRGxOuTLgx+XH+/EntjrI4rjF9/ShYCIcy8vqp1OxFaPClu96ebnbiEOu
y6RvCJ2egcM6OeRbHWB5fIJ0ZZ3crdjz/d1z4ktBuG7E4cUYkEvvAgMBAAGggYkw
gYYGCSqGSIb3DQEJDjF5MHcwRgYDVR0RAQH/BDwwOoETZXhhbXBsZUBleGFtcGxl
LmNvbYIQc2hvcC5leGFtcGxlLmNvbYIRc3RvcmUuZXhhbXBsZS5jb20wDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG
9w0BAQsFAAOCAYEAh0kOsRy5cCTnFRIWBhBrFFvQhpZIlsoeelNW6JlkE0/ULcAj
JevBx8UibY48D2Wn0nEGle9T3ZeDlg+n66xr/OUfsrENm5ORy5Ndvubkkz0t4KF5
Z2SnwPVIcX2b6ID2xhFAny2S58Adwo7uTpLytidqFj026/KcuyVZUEF9HuJcQGE8
+LMfliCkm6rI2h1ncy2sV6vtDo9GlVscTYLghisHp1aTXVPrr6Q+1OM8lTot8i71
DmZ7kRyxCDlu20XxxV+p2cm4QQVHXbw0XrKAOL2jCBBiYOSWM/BvwWIliVGD6NLg
WK7ZpyHSFjDH0pUlqJCIs079W6JDhiYvtB2xizqmg8oyABUESMUckHGeymr92mcO
JbSyeTE66Pek+Gwia6ZMG7jcznfSr31+7dShLix9kjGsKUffHTiZVySaYjny/+Aq
Seg3Fpusq25ki9D/NMnbifXraL+LbX/WNLS3nA79rp3+VcOoGBponT4i1fsxn+Bv
5RTT3nhT8BlcTe1d
-----END CERTIFICATE REQUEST-----
Private Key :
-----BEGIN PRIVATE KEY-----
MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQC6jzomD+zOHCzK
RiIRe9Fp/+PaMkCskyhlvL1n/Ig2yjB7fRdufnCd+/CLAgJQI/APV7eOErdOtYes
1Gf/4yoT6NADvIB259jEPnftwNxPjqKGRqMhJ7QSL3fJ/ogqa9QC+Ym9DdHtngRA
I5YePnrJD4tePfpth3BrvhLy7yWkKzdjDHx+CuH+/ofSueUoNBJC4VHfm7tlnKa1
EDsQkxjrZ/0AuBwU2FA+4/qmNzxo/tO/sEpcCeKevIMNygx1bxRzN9M+DMIOHnNL
7540/ez/twZ9FJDxpecNNVAtim6yt0OBXBldeC75k+hm4J/YBgFP7+t2rdWSBa5A
z6YZEwHnc7R9/hA6L5JVxdJZerfbDNyK/Uqxb+IH2HZP6RV3/xnsRJ5guoXGFj7S
fBpyyQxEbE65MuDH5cf78Se2OsjiuMX39KFgIhzLy+qnU7EVo8KW73p5uduIQ67L
pG8InZ6Bwzo55FsdYHl8gnRlndyt2PP93XPiS0G4bsThxRiQS+8CAwEAAQKCAYBW
fqtWFFIVaWi2y3dmJcL840AP3PaxTHURXkVund3FkU6TIncnqoWqKbHnsSHDaDYX
1vJqc3D7lBx4W+5v7DGJE4rGALKK7olIyzGtUJqUZCwkF0Hw0EijmdBvHYyiJmYg
jvN2bJ7lDTspRZaHJS6mY4eZRSEDgST1PyXn7krEZ6kBSju58G/BWt88KyX80s+Y
pIDiLIDg5pVAI2tPDvQhyI+7sqCKZZQm5GpEgB2JDIS+PgzryUWBlSMp1ICcPcgx
rarFZQi1Ne7qrp6FfKvPAO5XLyI0xhgm8fCMJUpxmEb80XY4FeRDzB42a0Z/YL0P
HhpWAI4ZRsDyDd5S7jwLZQ3Hl9WsKvj2/FRU6hWTP+maH/Vel35iLkygfZWUAjNY
F6B0SoBBd9bVeKDODXrD/CwVbuaKZGMaVOenZbczmFUVSi4HZGyqVRxX6WIxVoD0
MZXwWUoWZ32C6II3vp/ReAsouhCnKDKhqfrvH58xF82FTMMXBZ/kDy7k5IySylkC
gcEA4tpiV1eKzC/ft0sPUNmZB/snHfXC+xohzTygCg4L1Rf8zjDnUT/o9D8SRe1/
crkG7ZcjKvIdPz0tatyjyNMsZ9TDISiAJQJ8Et1+jBP0uy2qG+ab+Ub761BR5TX0
O78UcmtEyxaaDZsESWj+qYerG4E7zGZiTscTe2Jma5fPlS1ekyfNzk1GBtya9bIM
r991o/PahSmCz5iPxf4avYM/vQm2p+wIk+o6ZhJIAUlRFrCv8y9lYivQjw+tZA+G
bdE7AoHBANKHg0Jb5BLJmN/5/PLkkELhaZG+UNUngtm46dm/84+sqtdTcUHpqdHv
M/skRYDVERmI50QZ2HmzVC8J+zzs9r01VNNA+Tzcoi3eB3FPdDYPTDtLSzRfsC82
kix8d2uVs+rfmvKwT0XucNvMQjUyYDII7IJln1iIJp2XQZaNleqgyi65kni+6FrQ
EJ9gVD4PtCkX7rKo8csMITe6n+HZIzFpOY6BX0HU/4VGa+RQHGfGIdfKDOJ5AtyG
RPYVvZ1E3QKBwE520sT7FpsBhBPV9no0iWXlTOZj9wj7RO3EJmbT7OvL3DlFWP0V
afHxTtS5DPgVX3wWZqeYDt2sv2TS5CO2Rwmy4bs6Uvh6H4g27GpvDJshdFEqNpDG
KKR/p5PsUYnI0b2xtJ26N5a1I4pwsoTY1CozTQep8h7lZKusoVhdrgMfKjMj9V+C
AtKkw0RwTUsXs4z973tXnFNJpZEKDx21o/oyvebfESh4P7LGZ/lp7o42luU6Y4rN
NNoGxiZx6EFbuQKBwGbMltJTTmXCHKzZQ6NS6gJOUR9CX/QFLAamHUIfUY3JUU59
RyNZNnv1IluyVWHYKFZgnBSLzkF2yFeDtzMDvmObZAUXh9wpG+Prs5SnqGYxSBb3
6Av14XDcY7nnOOTGn6jDcMSqRLsv99nLvlR9ea1U4C+38XvoV3rB/dvG3PpJcxAn
uxbMmWamjEdWYSxAvMcIEZ0Zk5+DF8E/loxQW7fn2pv0HhBmMjLgtRQx7fzaKXJW
Db6UOkp2IbxL11+w3QKBwDloDgwB7ukGyFHf3RKy3YX0en1WGBesXONf1m2fjwOU
nojccfaGwAUdb6m60JuZFhJ3qZ4ecoloY4GxIKV5krvBg1buow/aqDDkKmVVYNO6
FUuXp+BbTBSxjfftSaog7y5Db5aecLXU5FLE+sVlrhp17s9h8Ur+O04SytSVh9JS
SkzHYv+4GybZqmOeF2U+whib8JXD2bJkSfNI1dZZhKVqoTUQfEAE3VFY0EHkVQwk
rLHmjspsUjKc4BKfVRGWJg==
-----END PRIVATE KEY-----
Note: Please keep a copy of your certificate request and private key for future
reference.
Give documentation feedback