To generate a Certificate Signing Request (CSR), a key pair must be created for the server. These two items are a public key and a private key pair and cannot be separated. Apache SSL is a very custom environment and your system may differ. Below are generalized instructions. The utility “openssl” is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have a custom installation, you will need to adjust these instructions appropriately.
To generate a CSR on Apache (OpenSSL/Nginx/ModSSL) perform the following.
Step 1: Generating your private key pair:
- On the Apache system type the following command at the prompt.
openssl genrsa -des3 -out privatekeyfilename.key 2048
Example:
Note: If you do not wish to use a Pass Phrase, do not use the -des3 command. It will however leave the private key unprotected.
Step 2: Generating your CSR:
- Type the following command at the prompt.
Note: If using openSSL on Windows, you may need to specify the path to openssl.cnf such as the following: openssl req -new -key privatekeyfilename.key -config “c:\Apache Software Foundation\Apache2.2\conf\openssl.cnf” -out csrfilename.csropenssl req -new -key privatekeyfilename.key -out csrfilename.csr
- Specify the Requested information as it pertains to your organization and system:
- Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Massachusetts
- Locality or City: The Locality field is the city or town name, for example: Boston. Do not abbreviate. For example: Saint Louis, not St. Louis
- Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit: The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
- Common Name: The fully-qualified domain name, or URL, you’re securing. for example “www.domain.com”. If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.domain.com.
- Note: You might be prompted to associate a password for your CSR. Leave this blank and press Enter. Associating a password with your CSR will encrypt it and will cause issues with enrollment.Example:
A public/private key pair has now been created. The private key (www.domain.com.key) is stored locally on the server (remember its location and name as it will be required for Installation). The public portion, in the form of a csr (request.csr), will be used enrollment.
Your private key pair has now been created on this system. Your CSR request has been created and is ready for you to copy and paste its contents into the enrollment portal.
If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.
For Apache installation instructions click here.
Apache/ModSSL Support:
For more information refer to ApacheSSL, ModSSL