Apache CSR Generation Print

  • 387

CSR Generation: Apache

Generating a Certificate Signing Request (CSR) using Apache (with mod_ssl) & OpenSSL

To generate your CSR, you will need to log in to your server and use the OpenSSL software to generate a CSR and private key.

  1. Log in to your server, and enter the following command:
    openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

    This will generate two files: a CSR called 'server.csr' and a 2048-bit private key called 'myserver.key'.

  2. You will be prompted to enter some information for your CSR:

    Country Name (2 letter code) [AU]: GB
    State or Province Name (full name) [Some-State]: Yorks
    Locality Name (eg, city) []: York
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
    Organizational Unit Name (eg, section) []: IT
    Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
    Email Address []:

    Please enter the following 'extra' attributes to be sent with your certificate request

    A challenge password []: 
    An optional company name []:

    The 'CN' field (Common Name) is where you should enter the fully qualified domain name of the website you require the certificate for.
    Note: for wildcard certificates, the Common Name should be in the format: *.mydomain.com

  3. Your CSR is now generated. Open the 'server.csr' file with a text-editor and copy and paste the contents into the enrollment form when requested.

The 'myserver.key' file should be kept secure (e.g. readable only by root on linux systems).

Removing the '-nodes' option from the openssl command will request a password and encrypt the private key. This can increase security, but note that the password will be required each time Apache is restarted.

EV certificates require a minimum of a 1024-bit keysize if valid before 2011, and 2048-bit if they are valid into 2011. We recommend that a 2048-bit keysize is the minimum used for all certificates.

The two-letter 'Country Name' field must be the ISO-3166 standard country code. Please note that 'GB' is correct for Great Britain, not 'UK'. A complete list can be found here: http://www.iso.org/iso/country_codes.htm

Was this answer helpful?

« Back