Generate a CSR with OpenSSL
This article will go through the first step of creating and eventually installing an SSL certificate. You'll use the same steps whether you are getting a traditional SSL from an authority like Verisign, a self signed certificate or the '*' Wildcard certificate. Most of the information I'm taking from RapidSSL's support documentation, which is also a great place to buy a certificate. The Rackspace Cloud is not a certificate authority and does not resell SSL certificates so you will need to go to a third party solution and purchase a certificate using this CSR.
http://www.rapidssl.com/ssl-certificate-support/generate-csr/Apache2.htm
Contents |
Prerequisites
What you'll need first is to install Openssl on your server, this is a common package and will be available on all of the major distros through their package installer. Here is how you check to see if it is installed in a "Yum" style system:
# rpm -qa | grep -i openssl
The above command should return the following packages, or something similar:
openssl-0.9.8e-7.el5 openssl-0.9.8e-7.el5 openssl-devel-0.9.8e-7.el5
If it didn't you'll want to run the following:
# yum install openssl openssl-devel
Generate the RSA key
Create a RSA key for your Apache server, since every distro is different in where to place the certificates, we are just going to place it in an arbitrary spot:
# mkdir ~/domain.com.ssl/
# cd ~/domain.com.ssl/
Type the following command to generate a private key.
# openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048
Create a CSR
Type the following command to create a CSR with the RSA private key (output will be PEM format):
# openssl req -new -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr
When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
| DN Field | Explanation | Example |
| Common Name | The fully qualified domain name for your web server. This must be an exact match. | If you intend to secure the URL https://www.yourdomain.com, then your CSR's common name must be www.yourdomain.com. If you plan on getting a Wildcard certificate make sure to prefix your domain with a '*' ex. *.domain.com |
| Organization | The exact legal name of your organization. Do not abbreviate your organization name. | domain.com |
| Organization Unit | Section of the organization | IT |
| City or Locality | The city where your organization is legally located. | Wellesley Hills |
| State or Province | The state or province where your organization is legally located. Can not be abbreviated. | Massachusetts |
| Country | The two-letter ISO abbreviation for your country. | US |
Do not enter extra attributes at the prompt.
- Warning: Leave the challenge password blank (press enter)
Verify your CSR
# openssl req -noout -text -in ~/domain.com.ssl/domain.com.csr
Submit your CSR
From this point you have to take your CSR that you created here and submit it to a certificate authority. Ones that we recommend are going to be Verisign, Thawte and RapidSSL. There are also a number of other certificate authorities out there, shop around.
Check out the next article in this line Installing an SSL certificate.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER
3 Comments
Cant get csr
===============================
Generating a 2048 bit RSA private key
.......+++
.......+++
writing new private key to 'www_mydomain_com.key'
================================
and then it ends without giving me the csr. any ideas?
Re: csr
Try this tool to auto
http://tools.ssl.com
Add new comment