Generate a CSR with OpenSSL
This article will go through the first step of creating and eventually installing an SSL certificate. You'll use the same steps whether you are getting a traditional SSL from an authority like Verisign, a self signed certificate or the '*' Wildcard certificate. Most of the information I'm taking from RapidSSL's support documentation, which is also a great place to buy a certificate. The Rackspace Cloud is not a certificate authority and does not resell SSL certificates so you will need to go to a third party solution and purchase a certificate using this CSR.
What you'll need first is to install Openssl on your server, this is a common package and will be available on all of the major distros through their package installer. Here is how you check to see if it is installed in a "Yum" style system:
# rpm -qa | grep -i openssl
The above command should return the following packages, or something similar:
openssl-0.9.8e-7.el5 openssl-0.9.8e-7.el5 openssl-devel-0.9.8e-7.el5
If it didn't you'll want to run the following:
# yum install openssl openssl-devel
Generate the RSA key
Create a RSA key for your Apache server, since every distro is different in where to place the certificates, we are just going to place it in an arbitrary spot:
# mkdir ~/domain.com.ssl/ # cd ~/domain.com.ssl/
Type the following command to generate a private key.
# openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048
Create a CSR
Type the following command to create a CSR with the RSA private key (output will be PEM format):
# openssl req -new -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr
When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters can not be used for the Organization Name or the Organizational Unit: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
|Common Name||The fully qualified domain name for your web server. This must be an exact match.||If you intend to secure the URL
|Organization||The exact legal name of your organization. Do not abbreviate your organization name.||domain.com|
|Organization Unit||Section of the organization||IT|
|City or Locality||The city where your organization is legally located.||Wellesley Hills|
|State or Province||The state or province where your organization is legally located. Can not be abbreviated.||Massachusetts|
|Country||The two-letter ISO abbreviation for your country.||US|
Do not enter extra attributes at the prompt.
- Warning: Leave the challenge password blank (press enter)
Verify your CSR
# openssl req -noout -text -in ~/domain.com.ssl/domain.com.csr
Submit your CSR
From this point you have to take your CSR that you created here and submit it to a certificate authority. Ones that we recommend are going to be Verisign, Thawte and RapidSSL. There are also a number of other certificate authorities out there, shop around.
Check out the next article in this line Installing an SSL certificate.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER