Tuesday, July 30, 2013

Generating a Certificate Signing Request (CSR) using Apache (with mod_ssl) & OpenSSL

Generating a Certificate Signing Request (CSR) using Apache (with mod_ssl) & OpenSSL
To generate your CSR, you will need to log in to your server and use the OpenSSL software to generate a CSR and private key.
  1. Log in to your server, and enter the following command:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
This will generate two files: a CSR called 'server.csr' and a 2048-bit private key called 'myserver.key'.
  1. You will be prompted to enter some information for your CSR:

Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Yorks
Locality Name (eg, city) []: York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
The 'CN' field (Common Name) is where you should enter the fully qualified domain name of the website you require the certificate for.
Note: for wildcard certificates, the Common Name should be in the format: *.mydomain.com
  1. Your CSR is now generated. Open the 'server.csr' file with a text-editor and copy and paste the contents into the enrollment form when requested.
Notes:
The 'myserver.key' file should be kept secure (e.g. readable only by root on linux systems).

Removing the '-nodes' option from the openssl command will request a password and encrypt the private key. This can increase security, but note that the password will be required each time Apache is restarted.

EV certificates require a minimum of a 1024-bit keysize if valid before 2011, and 2048-bit if they are valid into 2011. We recommend that a 2048-bit keysize is the minimum used for all certificates.

The two-letter 'Country Name' field must be the ISO-3166 standard country code. Please note that 'GB' is correct for Great Britain, not 'UK'. A complete list can be found here:
http://www.iso.org/iso/country_codes.htm