Generate a CSR with OpenSSL

This article will explain how you can create and install an SSL certificate. The same procedure applies in several different cases such as in case you are getting a traditional SSL from (e.g. Verisign), if you are using a self-signed certificate or the '*' Wildcard certificate.

Prerequisites

Make sure that the Openssl is installed on your server, this is a common package and will be available on all of the major distros through their package installer. In order to check if it is installed, issue the following command:

 # rpm -qa | grep -i openssl

The above command should return the following packages, or something similar:

openssl-0.9.8e-7.el5 openssl-0.9.8e-7.el5 openssl-devel-0.9.8e-7.el5

If that is not the case run the following:

 # yum install openssl openssl-devel 

Generate the RSA key

Create a RSA key for your Apache server, since every distro is different in where the certificate is placed, we are just going to place it in an arbitrary spot:

 # mkdir ~/domain.com.ssl/ # cd ~/domain.com.ssl/

Type the following command to generate a private key.

 # openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048

Create a CSR

In order to create a CSR with the RSA private key, type the following (output will be PEM format):

 # openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr 
When creating a CSR you must follow certain conventions. Enter the information to be displayed in the certificate. The following characters can not be used for the Organization Name or the Organizational Unit: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
 
DN Field Explanation Example
Common Name The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL https://www.yourdomain.com, then your CSR's common name must be www.yourdomain.com. If you plan on getting a wildcard certificate make sure to prefix your domain with an asterisk, example: *.domain.com.
Organization The exact legal name of your organization. Do not abbreviate your organization name. domain.com
Organization Unit Section of the organization IT
City or Locality The city where your organization is legally located. Wellesley Hills
State or Province The state or province where your organization is legally located. Can not be abbreviated. Massachusetts
Country The two-letter ISO abbreviation for your country. US
 

Do not enter extra attributes at the prompt.

  • Warning: Leave the challenge password blank (press enter)

Verify your CSR

 # openssl req -noout -text -in ~/domain.com.ssl/domain.com.csr 
 

Submit your CSR

From this point you have to take your CSR that you created here and submit it to a certificate authority.


Was this article helpful?

mood_bad Dislike 0
mood Like 1
visibility Views: 4653