Generate CSR Instructions: Apache (w/OpenSSL, MODSSL, or ApacheSSL)
Follow these instructions to generate a Private Key and CSR for your Web site.
You must have OpenSSL installed on your server. OpenSSL is a free, open-source tool, used from the command-line, to generate CSR's, private keys, and other cryptographic functions. In most cases OpenSSL is already installed on your operating system. To verify that you have OpenSSL installed type "openssl --help" from the command line. If the shell returns 'command not found' OpenSSL is either not installed or you are not authorized to use that command. If OpenSSL is not installed on your system you may need to download OpenSSL.
If you have not already set up a secure virtual host or would like to
learn more about SSL, refer to Building
a Secure RedHat Apache Server How-To.
Note: The examples below use the following naming conventions: "Your Private Key" = "domainname.key"; "Your Web Server Certificate" = "domainname.crt".
- Create an RSA private key for your Apache server, with triple-DES encryption
and PEM-formatted:
openssl genrsa -des3 -out domainname.key 1024You will be prompted to enter and re-enter a pass phrase.
Warning: Backup this key and its passphrase.Tip: If you choose to use triple des encryption, you will be prompted for the password each time you start the SSL server from a cold start. (When using the restart command, you will not be prompted for the password). Some of you may find this password prompt to be a nuisance, especially if you need to boot the system during off-hours. Or, you may believe that your system is already sufficiently secure. So, if you choose not to have a password prompt (hence no triple des encryption), use the command in step 2 below.Tip: Your private key will be created in the current directory unless otherwise specified. The private key needs to end up in the /etc/httpd/conf/ssl.key directory if you installed Apache using the RPM or /usr/local/apache/conf/ssl.key directory if you installed Apache using the source files. You can copy the private key to the proper directory or move into that directory before executing the openssl commands. Please note that 'ssl.key' is a directory that contains your 'domainname.key' file. When your GeoTrust SSL certificate is delivered it will need to be copied to /etc/httpd/conf/ssl.crt or /usr/local/apache/conf/ssl.crt directory. - You could also create a private key without triple-DES encryption:
openssl genrsa -out domainname.key 1024You can view the contents of the private key by using the following command:openssl rsa -noout -text -in domainname.keyThe private key text should begin with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----. - Now create a Certificate Signing Request (CSR) using the RSA private
key created above (output will be PEM format):
openssl req -new -key domainname.key -out domainname.csr* Note: You will be prompted for your PEM passphrase if you included the "-des3" switch above. - When creating a CSR you must follow these conventions. Enter the information
to be displayed in the certificate. The following characters cannot
be accepted: < > ~ ! @ # $ % ^ / \ ( ) ? , &
CSR Input Fields Field Explanation Example Common Name (CN)
(host name, FQDN, etc.)The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL https://www.domain.com, then your CSR's common name must be "www.domain.com".
For https://secure.domain.com it must be "secure.domain.com".
For just https://domain.com it must be just "domain.com".
For https://owa.mailserver.net it must be "owa.mailserver.net".
A Wildcard for https://sub.primary-domain.com must be "*.primary-domain.com". The asterisk must be included for Wildcard CSR's.Organization (O) The exact legal name of your organization. Do not abbreviate your organization name. Metro Realty LLC or Flowers by Jenny Organizational Unit (OU) Section of the organization Sales Division or IT or Marketing City or Locality (L) The city where your organization is legally located. Cannot be abbreviated. Boston State (S) or Province The state or province where your organization is legally located. Cannot be abbreviated. Massachusetts Country (C) The two-letter ISO abbreviation for your country. US, CA, GB, (must be two-letters) Email Any email address. This field is arbitrary but must be filled in. GeoTrust will not use this email address to process your order. user@domain.com Key Bit Length The key bit length has to do with the initial key exchange, not the encryption strength of your certificate. GeoTrust recommends a key bit length of at least 1024 - You will be prompted for extra attributes (i.e., a challenge password and optional company name); we recommend you leave these attributes empty (just hit Enter).
- You can verify the contents of your CSR by using the following command:
openssl req -noout -text -in domainname.csr - Save a copy of your CSR. The CSR will be needed during the purchase
process. You'll be asked to copy-and-paste
your CSR into a special CSR box.
Below is an example of what your CSR will look like. This is a example only and cannot be used to generate your SSL certificate.-----BEGIN CERTIFICATE REQUEST----- MIIB3zCCAUgCAQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9yZ2lhMRAw DgYDVQQHEwdBdGxhbnRhMREwDwYDVQQKEwhHZW9DZXJ0czEaMBgGA1UECxMRSW5l cm5ldCBNYXJrZXRpbmcxGTAXBgNVBAMTEHd3dy5nZW9jZXJ0cy5jb20xITAfBgkq hkiG9w0BCQEWEmFkbWluQGdlb2NlcnRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA5KOi+RnRzBuBQeFYjrwZg1sfT7zr4L8j0Khuoj621x+lGBmFC76c kGclUIQBmuyp9T9NrNqAjGtEmgdFr6cWLJtgXgi+BaZDLX9BMYF49NuTggNoEUMX crQRAENHb2YthG2SEcF5p98RNcDPzWOA3a4AMvgkxDlDGYUhbcQhnt0CAwEAAaAA MA0GCSqGSIb3DQEBBAUAA4GBAIapt6Tw0BTYUwEAX0/oKvaaN/ghErR85jdW7xOD b1hL0yNfb495A7e/IQyBEP5a/v+QUOtibHS4geiPhH9etAI+DSQmctjbf6dMGJql gCXGwlsTbjPOSmNT+/X2Uvf1BlplwqAMDghEuFHsjshlypz1NEg94ri2K9N1VrBs
+iAv
-----END CERTIFICATE REQUEST-----
bitscan™