Certificate Signing Request (CSR) generation, which is a must for obtaining an SSL certificate from Certificate Authorities (CA), is a technically intensive process and might be cumbersome for those not familiar with the intricate steps involved for the same. The large number of live chats, calls and email support requests received by certificate Authorities from users seeking help in completing the process acknowledge the fact that the problem is indeed rife and must be addressed.
In this post, Mr. Jim Armstrong, a Web security specialist at RapidSSLOnline, addresses how to obtain a Certificate Signing Request for Apache + Mod SSL + OpenSSL servers from major Certificate Authorities on the web such as Symantec, GeoTrust, Thawte, and RapidSSL without any hassles. The process of CSR creation entails the generation of two types of keys: private and public keys as shown below.
Generating the Private Key
The OpenSSL Utility, which comes with every OpenSSL package, is mostly used to generate the private key and CSR. It should be installed on the following path: /usr/local/ssl/bin . If the OpenSSL utility package is installed on a different path, you have to adjust the OpenSSL package installation path. To do this, first enter the following command at the prompt: opensslgenrsa -des3 -out .key 2048 . This command will raise a 2048 bit RSA private key which will automatically get stored at the file www.myhostname.com.key. It is imperative for all SSL Certificate CSRs to have a 2048-bit key length.
When prompted with the password command make sure that you choose a password that is secure i.e is a combination of alphabets, numbers and symbols as this password will a) protect the private key b) secure the certificate.
Note: The pass phrase requirement can be bypassed by omitting the -des3 option at the time of generation of the private key. In case you wish to leave the private key unprotected, it his highly recommended that only authorized server administrators have access to the server and ability to read the private key file.
Generating the Public key and CSR
First Enter the following command at prompt: opensslreq -new -key .key -out .csr . If you are using OpenSSL on Windows server you can use this direct path to reach ‘openssl.cnf’:
opensslreq -new -key .key -config “c:Apache Software FoundationApache2.2confopenssl.cnf” -out .csr
This should be followed by filling mandatory information of the organization, which includes:
- Country Name: Two-letter code of the country without punctuation (i.e. US, UK).
- State or Province: Complete state name without any abbreviation. (i.e. New York, not NY).
- Locality or City: City or town name without any abbreviation.
- Company: In case a company or organization name has a symbol such as &, @, or * included within it’s name, the
- symbol must be properly spelled out (i.e. AB & C Corporation would be AB and C Corporation).
- Organizational Unit: An optional field which can be skipped by pressing ‘Enter’ on the keyboard but information filled here serves as additional authentication for obtaining the certificate from the CA.
- Common Name: The Host + Domain Name.
Now both your private and public keys have been generated. The private key (www.hostname.com.key) is stored locally on the server and employed for decryption. The public key, in the form of a WildCard SSL Certificate Signing Request (certrequest.csr), will be for certificate enrollment.
Note: If you wish to copy and paste the information into the enrollment form, you should first open the file in Notepad or Vi and save it as a .txt file. Please note that you shouldn’t use Microsoft Word as it inserts extra hidden characters which alter the contents of the CSR thereby rendering it useless.