Here we are going to discuss how to manually generate a Certificate Signing Request (or CSR) in the Apache web hosting environment using OpenSSL.
This process has two steps: creation of a private key, then creating the CSR itself. Manual creation of these items is performed in a terminal window or command prompt, using commands as detailed below. Both of these items will be saved as text files.
NOTE: If using openSSL on Windows, the path to openssl.cnf may need to be specified. Thus,we will set the path for openssl.cnf first and then execute the openSSL commands.
<ServerRoot> is the Apache Distribution Folder, e.g: C:\Apache2.4
Now, before proceeding with Private Key and Certificate Signing Request creation, please install Microsoft Visual C++ 2012 Redistributable (only applicable for Windows). We need Microsoft Visual C++ 2012 Redistributable because there are some dll files which get involved when we run openssl commands.
Create a Private Key
Creating your private key will require entering the command string itself, the location and file name you wish to use, and the key strength.
Type the following command in an open terminal window or command prompt on your computer to generate your private key using SSL
openssl genrsa -des3 -out <private key file name>.key 2048
This will invoke OpenSSL, instruct it to generate an RSA private key using the DES3 cipher, and send it as an output to a file. The file name format and location you choose to save your private key to will depend on your system or network’s configuration
NOTE: If using Apache on Windows or generating a private key for use with Amazon Web Service, Plesk or cPanel please do not include -des3 as this option is not supported.
Generating the CSR
Generating the CSR requires another string of commands, the location and file name of your newly-created key, and a path and file name for your CSR. You will also be prompted for information to populate the CSR.
1) At the command line, type:
openssl req -new -key <private key file name>.key -out <csr file name>.csr
This will fire up OpenSSL, instruct it to generate a certificate signing request, and let it know to use a key we are going to specify – the one we just created, in fact.
Note that a certificate signing request always has a file name ending in .csr.
2) Enter your pass phrase when prompted. Again, the pass phrase is not displayed as you type. Hit Enter when done.
You will now be prompted to enter the information which will be incorporated into your CSR. This information is also known as the Distinguished Name, or DN. Some fields are required, while others are optional and can be left blank.
Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
State or Province: Spell out the state completely; do not abbreviate the state or province name. For example: California, not CA
Locality or City: The Locality field is the city or town where the organization is headquartered spelled in full. For example: Mountain View, not Mt. View
Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
Common Name: The Common Name is the Host + Domain Name. It looks like “www.company.com” or “company.com”. RapidSSL certificates issued to the www subdomain will also include the base domain as a Subject Alternative Name.
NOTE: Please do not enter a challenge password or an optional company name when generating the CSR. Thease are optional field.
3. Once the CSR has been created proceed to enroll for the certificate.
Generating a Self-Signed Certificate (With CSR)
At this point you will need to generate a self-signed certificate because you either don’t plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.
1) To generate a temporary certificate which is good for 365 days, issue the following command:
openssl x509 -req -days 365 -in <CSR file name>.csr -signkey <Private Key file name>.key -out <Certificate file name>.crt
2) We can also create a Self-Signed Certificate without a CSR. Run below command and it will ask for orgnization information at real time (as same as when we create CSR.)
Generating a Self-Signed Certificate (Without CSR)
openssl req -x509 -new -days 365 -key Privatekey.key -out certificate.crt
If you found any of the information on this page helpful in anyway then please consider sharing this content with your favorite social network or by leaving your thoughts in the comment section. Thanks!