Generate CSR: Apache (w/OpenSSL, MODSSL, or ApacheSSL)
Follow these instructions to generate a Private Key and CSR.
You must have OpenSSL installed on your server. OpenSSL
is a free, open-source tool, used from the command-line, to generate
CSR's, private keys, and other cryptographic functions. In most cases
OpenSSL is already installed on your operating system. To verify that
you have OpenSSL installed type openssl --help from the command
line. If the shell returns command not found OpenSSL is either not
installed or you are not authorized to use that command. If OpenSSL
is not installed on your system you may need to
download OpenSSL.
Note: The examples below use the following naming conventions: "Your
Private Key" = "domainname.key"; "Your Web Server Certificate" = "domainname.crt".
- Create an RSA private key for your Apache server, with triple-DES encryption
and PEM-formatted:
openssl genrsa -des3 -out domainname.key 1024
You will be prompted to enter and re-enter a pass phrase. Please read the first tip
below before you issue this command.
Warning: Backup this key and its passphrase.
Tip: If you choose to use triple des encryption, you
will be prompted for the password each time you start your web server
from a cold start. (When using the restart command, you will not be prompted for the password).
Some of you may find this password prompt to be a nuisance, especially
if you need to boot the system during off-hours. Or, you may believe
that your system is already sufficiently secure. So, if you choose
not to have a password prompt (hence no triple des encryption), use the command in step 2 below.
Tip: Your private key will be
created in the current directory unless otherwise specified.
The private key needs to end up in the /etc/httpd/conf/ssl.key directory if you
installed Apache using the RPM or /usr/local/apache/conf/ssl.key directory if you installed
Apache using the source files. You can copy the private key to the proper directory
or move into that directory before executing the openssl commands. Please note that 'ssl.key'
is a directory that contains your 'domainname.key' file. When
your GeoTrust SSL certificate is delivered it will need to be copied
to /etc/httpd/conf/ssl.crt or /usr/local/apache/conf/ssl.crt directory.
- You could also create a private key without triple-DES encryption:
openssl genrsa -out domainname.key 1024
You can view the contents of the private key by using the following command:
openssl rsa -noout -text -in domainname.key
The private key text should begin with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
- Now create a Certificate Signing Request (CSR) using the RSA private
key created above (output will be PEM format):
openssl req -new -key domainname.key -out domainname.csr
* Note: You will be prompted for your PEM passphrase if you included
the "-des3" switch above.
-
You will be asked for several pieces of info which will be used by GeoTrust to create
your new SSL certificate. These fields include the Common Name (aka domain, FQDN), organization,
country, key bit length, etc. Use the CSR Legend in the right-hand column of this page
to guide you when asked for this information. The following characters should not
be used when typing in your CSR input: < > ~ ! @ # $ % ^ / \ ( ) ? , &
- You will be prompted for extra attributes (i.e., a challenge password and optional company name); we
recommend you leave these attributes empty (just hit Enter).
- You can verify the contents of your CSR by using the following command:
openssl req -noout -text -in domainname.csr
-
Save a copy of your CSR. The CSR will be needed during the online order
process. You'll be asked to copy-and-paste your CSR into a special CSR box.
Below is an example of what your CSR will look like. This
is a example only and cannot be used to generate your SSL certificate.
-----BEGIN CERTIFICATE REQUEST-----
MIIB3zCCAUgCAQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9yZ2lhMRAw
DgYDVQQHEwdBdGxhbnRhMREwDwYDVQQKEwhHZW9DZXJ0czEaMBgGA1UECxMRSW5l
cm5ldCBNYXJrZXRpbmcxGTAXBgNVBAMTEHd3dy5nZW9jZXJ0cy5jb20xITAfBgkq
hkiG9w0BCQEWEmFkbWluQGdlb2NlcnRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA5KOi+RnRzBuBQeFYjrwZg1sfT7zr4L8j0Khuoj621x+lGBmFC76c
kGclUIQBmuyp9T9NrNqAjGtEmgdFr6cWLJtgXgi+BaZDLX9BMYF49NuTggNoEUMX
crQRAENHb2YthG2SEcF5p98RNcDPzWOA3a4AMvgkxDlDGYUhbcQhnt0CAwEAAaAA
MA0GCSqGSIb3DQEBBAUAA4GBAIapt6Tw0BTYUwEAX0/oKvaaN/ghErR85jdW7xOD
b1hL0yNfb495A7e/IQyBEP5a/v+QUOtibHS4geiPhH9etAI+DSQmctjbf6dMGJql
gCXGwlsTbjPOSmNT+/X2Uvf1BlplwqAMDghEuFHsjshlypz1NEg94ri2K9N1VrBs
+iAv
-----END CERTIFICATE REQUEST-----
|
CSR Legend
When generating your CSR you will be asked to input
a few pieces of info. Below are some common fields with descriptions and examples.
(also see About the CSR)
Common Name (CN)
The fully-qualified-domain name for your certificate. Examples include...
- www.domain.com
- owa.domain.net
- secure.domain.ca
- *.domain.com (for wildcard SSL)
Organization (O)
The exact legal name of your organization. Do not abbreviate your
organization's name. Example: Metro Realty LLC or Flowers by Jenny
Organizational Unit (OU)
The section or division of the organization. Example: Sales, Support, Customer Service
City or Locality (L)
The city where your organization is legally located. Cannot be
abbreviated. Example: Atlanta
State (S) or Province
The state or province where your organization is legally located. Cannot
be abbreviated.. Example: Georgia
Country (C)
The two-letter ISO Country Code abbreviation for your country. Example: US, CA, GB (must be two-letters)
Email
Any email address. This field is arbitrary but must be filled in. GeoTrust
will not use this email address to process your order. Example: user@example.com
Key Bit Length
The key bit length has to do with the initial key exchange, not the
encryption strength of your certificate. GeoTrust recommends a key bit length of at least 1024.
|