Generating a CSR using vCert

If you changed the settings of a certificate that you want to renew, you need to generate a new Certificate Signing Request (CSR) that contains the new settings. If you are already familiar and comfortable with generating CSRs, then generate a new one and paste it into the Certificate Signing Request box that you'll see during the renewal process.

If you're new to generating CSRs, we can walk you through it.

There are three easy steps:

The Venafi VCert utility and library is hosted on Venafi's Github page here.

  1. Run the executable file from the command line:

    Example  C:\Users|[username]\downloads>vcert_win_x64.exe

  2. Accept the End User License Agreement to continue.

  1. Enter the certificate's CSR requirements on the command line.

    Example  This Windows example uses the CSR requirements as shown in the screenshot above: vcert_win_x64 gencsr -cn "www.MyCompany.com" -o "My Company" -key-type rsa -key-size 2048 -ou "Mein Company" -l "Oakland" -st "California" -c US

    Option Description

    -o

    Use to specify the organization name (O).

    -ou

    Use to specify the organizational unit. (OU).

    -c

    Use to specify the country (C).

    -st

    Use to specify the state/province. (ST).

    -l

    Use to specify the locality (L).

    -no-prompt

    Use to indicate that the utility will not prompt you for input. This is useful for scripting.

    IMPORTANT  If this option is specified, vCert will not prompt you for a private key passphrase and your private key will not be encrypted.

    -san-email

    Use to specify one of more email Subject Alternative Name.

    Example: -san-email abc@abc.xyz

    -san-ip

    Use to specify one or more IP Address Subject Alternative Name.

    Example: -san-ip 1.1.1.1

    -verbose

    Use to increase the level of logging detail, which is helpful when troubleshooting issues.

    -key-size

    Use to specify the key size. vCert can generate 1024, 2048, or 4096-bit RSA keys.

    Example: -key-size 2048

    -key-type

    Use to specify the key type.

    Example: -key-type rsa

    -key-password

    Use to specify a password for encrypting the private key. For a non-encrypted private key, specify -no-prompt without specifying this option. You can specify the password using one of three methods: at the command line, when prompted, or by using a password file.

    Example: -key-password file:/Temp/mypasswords.txt

    -key-file

    Use to specify a file name and a locaiton where the resulting key file should be written. Example: /tmp/newkey.pem

    -csr-file

    Use to specify a file name and a location where the resulting CSR file should be written. Example: /tmp/newcsr.pem

    -h

    Use to show help text.

  2. When asked to enter a key pass phrase, enter something that you'll remember. The pass phrase will be used to encrypt the private key.

    The result will look something like this:

  1. Copy everything starting with – - - - -Begin Certificate Request– - - - - through – - - - -End Certificate Request– - - - -.

  2. Paste it in the Certificate Signing Request field.

  3. Click Next.