To generate your CSR, you will need to log into your server and use the OpenSSL software to generate a CSR and private key.
1. Log into your server and enter the following command:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
This creates two files:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
This creates two files:
•CSR called server.csr
•The file myserver.key contains a private key.
•The file myserver.key contains a private key.
Do not disclose this file to anyone.
2. It is recommended to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR)3. You will now be asked to enter details to be entered into your CSR
-
Field Example Country Name (2-letter code) [AU] GB State or Province Name (full name) [Some-State] Yorks Locality Name (city) [] York Organization Name (company) [Internet Widgits Pty Ltd]: MyCompany Ltd Organizational Unit Name (section) [ ] IT Common Name (domain name of website) [ ] mysubdomain.mydomain.com Email Address [ ] help@webmailhelp.com
Please enter the following 'extra' attributes to be sent with your certificate request:
The fields email address, optional company name and challenge password can be left blank for a web server certificate.
4. Your CSR will now have been created
-subj "/C=GB/ST=Yorks/L=York/O=MyCompany Ltd./OU=IT/CN=mysubdomain.mydomain.com"
Note 1: If the "-nodes" is inputted, the key will not be encrypted with a DES pass phrase.
Note 2: The myserver.key file should be kept secure, such as readable only by root on Linux systems. Removing the -nodes option from the openssl command will request a password and encrypt the private key. This can increase security, but note that the password will be required each time Apache is restarted.
- A challenge password
- An optional company name
- The CN field or Common Name is where you should enter the fully qualified domain name of the website, which requires the certificate
The fields email address, optional company name and challenge password can be left blank for a web server certificate.
4. Your CSR will now have been created
5. Open the server.csr in a text editor and copy and paste the contents into the online enrollment form when requested. Alternatively one may issue the following command:
openssl req -nodes -newkey rsa:2048 -nodes -keyout myserver.key -out server.csr-subj "/C=GB/ST=Yorks/L=York/O=MyCompany Ltd./OU=IT/CN=mysubdomain.mydomain.com"
Note 1: If the "-nodes" is inputted, the key will not be encrypted with a DES pass phrase.
Note 2: The myserver.key file should be kept secure, such as readable only by root on Linux systems. Removing the -nodes option from the openssl command will request a password and encrypt the private key. This can increase security, but note that the password will be required each time Apache is restarted.