Generate CSR: Apache (w/OpenSSL, MODSSL, or ApacheSSL)

Follow these instructions to generate a Private Key and CSR.

You must have OpenSSL installed on your server. OpenSSL is a free, open-source tool, used from the command-line, to generate CSR's, private keys, and other cryptographic functions. In most cases OpenSSL is already installed on your operating system. To verify that you have OpenSSL installed type openssl --help from the command line. If the shell returns command not found OpenSSL is either not installed or you are not authorized to use that command. If OpenSSL is not installed on your system you may need to download OpenSSL.

1. Create an RSA private key for your Apache server PEM-formatted: openssl genrsa -out domainname.key 2048
   Warning: Make a backup copy of this key.

   Tip: The 2048 in the command above is the key bit length. GeoTrust recommends a key bit length of 2048.

   Tip: Your private key will be created in the current directory unless otherwise specified. The private key needs to end up in the /etc/httpd/conf/ssl.key directory if you installed Apache using the RPM or /usr/local/apache/conf/ssl.key directory if you installed Apache using the source files. You can copy the private key to the proper directory or move into that directory before executing the openssl commands. Please note that 'ssl.key' is a directory that contains your 'domainname.key' file. When your GeoTrust SSL certificate is delivered it will need to be copied to /etc/httpd/conf/ssl.crt or /usr/local/apache/conf/ssl.crt directory.

2. Now create a Certificate Signing Request (CSR) using the RSA private key created above: openssl req -new -key domainname.key -out domainname.csr
3. You will be asked for several pieces of info which will be used by GeoTrust to create your new SSL certificate. These fields include the Common Name (aka domain, FQDN), organization, country, key bit length, etc. Use the CSR Legend in the right-hand column of this page to guide you when asked for this information. The following characters should not be used when typing in your CSR input: < > ~ ! @ # $ % ^ / \ ( ) ? , &
4. You will be prompted for extra attributes (i.e., a challenge password and optional company name); we recommend you leave these attributes empty (just hit Enter).
5. You can verify the contents of your CSR by using the following command: openssl req -noout -text -in domainname.csr
6. Save a copy of your CSR. The CSR will be needed during the online order process. You'll be asked to copy-and-paste your CSR into a special CSR box.
   
   Below is an example of what your CSR will look like. This is a example only and cannot be used to generate your SSL certificate.
   -----BEGIN CERTIFICATE REQUEST----- MIIB3zCCAUgCAQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9yZ2lhMRAw DgYDVQQHEwdBdGxhbnRhMREwDwYDVQQKEwhHZW9DZXJ0czEaMBgGA1UECxMRSW5l cm5ldCBNYXJrZXRpbmcxGTAXBgNVBAMTEHd3dy5nZW9jZXJ0cy5jb20xITAfBgkq hkiG9w0BCQEWEmFkbWluQGdlb2NlcnRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA5KOi+RnRzBuBQeFYjrwZg1sfT7zr4L8j0Khuoj621x+lGBmFC76c kGclUIQBmuyp9T9NrNqAjGtEmgdFr6cWLJtgXgi+BaZDLX9BMYF49NuTggNoEUMX crQRAENHb2YthG2SEcF5p98RNcDPzWOA3a4AMvgkxDlDGYUhbcQhnt0CAwEAAaAA MA0GCSqGSIb3DQEBBAUAA4GBAIapt6Tw0BTYUwEAX0/oKvaaN/ghErR85jdW7xOD b1hL0yNfb495A7e/IQyBEP5a/v+QUOtibHS4geiPhH9etAI+DSQmctjbf6dMGJql gCXGwlsTbjPOSmNT+/X2Uvf1BlplwqAMDghEuFHsjshlypz1NEg94ri2K9N1VrBs
+iAv
-----END CERTIFICATE REQUEST-----