To generate a Certificate Signing Request (CSR), a key pair must be created for the server. These two items are a public key and a private key pair and cannot be separated. Apache SSL is a very custom environment and your system may differ. Below are generalized instructions. The utility “openssl” is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have a custom installation, you will need to adjust these instructions appropriately.
Elliptical Curve Cryptography (ECC) Is a new form of encryption as opposed to the RSA standard public private key encryption techniques. In order to get an ECC certificate from a Certificate Authority (CA) a CSR request must be created from an ECC generated keypair.
To generate a ECC CSR on Apache (OpenSSL/Nginx/ModSSL) perform the following.
Step 1: Generating your private key pair:
- On the Apache system type the following command at the prompt.
Note: The naming conventions of these files do not matter it is recommended to use unique names to keep organized in an apache environment. You will on the other hand have to reference these named files once they have been specified.
Step 2: Generating your CSR:
- Type the following command at the prompt.
Note: If using openSSL on Windows, you may need to specify the path to openSSL.cnf such as the following: openssl req -new -key privatekey.key -out request.csr -config “c\opens-win64\bin\openssl.cnf
- Specify the Requested information as it pertains to your organization and system:
- Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Massachusetts
- Locality or City: The Locality field is the city or town name, for example: Boston. Do not abbreviate. For example: Saint Louis, not St. Louis
- Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit: The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
- Common Name: The fully-qualified domain name, or URL, you’re securing. for example www.domain.com. If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.domain.com.
- Note: You might be prompted to associate a challenge password for your CSR. Leave this blank and press Enter. Associating a password with your CSR will encrypt it and will cause issues with enrollment.Example:
A public/private key pair has now been created. The private key (privatekey.key) is stored locally on the server (remember its location and name as it will be required for Installation). The public portion, in the form of a csr (request.csr), will be used enrollment.
Your private key pair has now been created on this system. Your CSR request has been created and is ready for you to open this file in notepad and copy and paste its contents into the enrollment portal.
If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.
For Apache installation instructions click Here.
SSLSupportDesk is part of Acmetek who is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Acmetek offers all 4 Brands of SSL Certificates: Symantec, Thawte, GeoTrust and RapidSSL. Offering Norton Shopping Guarantee that inspires trust and increases online sales with a 20x ROI Guarantee.
Contact an SSL Specialist to buy your SSL Certificates from Acmetek, a Symantec Strategic/Platinum Distributor.
Become a Partner and create additional revenue stream while the heavy lifting for you.