Knowledge Base - FAQ

Question: My SSL certificate company needs a CSR, how do I get a CSR?

Most SSL distributors will ask for a CSR when you try to purchase a certificate from them. Follow these instructions to generate a CSR for your domain.

  1. SSH into your webserver with your login name and password.
  2. Create a directory to store your certificate key, certificate CSR, and certificate.

    3. mkdir certs ; cd certs

  3. Type the following command to generate your RSA private key, please adjust the filename 'domainname.key' accordingly.

    4. openssl genrsa -out domainname.key 2048

  4. Type the following command to create a CSR with the RSA private key, adjusting the filenames for your domain name (output will be PEM format):

    openssl req -new -key domainname.key -out domainname.csr

  5. When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&

    DN Field

    Explanation

    Example
    Common Name The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL https://www.geotrust.com, then your CSR's common name must be www.geotrust.com.
    Organization The exact legal name of your organization. Do not abbreviate your organization name. GeoTrust
    Organization Unit Section of the organization Marketing
    City or Locality The city where your organization is legally located. Wellesley Hills
    State or Province The state or province where your organization is legally located. Can not be abbreviated. Massachusetts
    Country The two-letter ISO abbreviation for your country. US

  6. Do not enter extra attributes at the prompt.

    7. Warning: Please leave the challenge password blank (press <enter>)

    Note: If you would like to verify the contents of the CSR, use the following command:

    openssl req -noout -text -in domainname.csr

  7. Submit your CSR to your SSL signing company. You can either download the 'domainname.csr' file via FTP and view it locally, or you can use 'cat' to view it at the prompt.

    8. cat domainname.csr

    Note: You can also self-sign a certificate, for testing purposes. (viewers will see a security warning)

    openssl x509 -req -days 365 -in host.csr -signkey host.key -out host.crt

  8. Create a backup of your private key!

    Make a copy of the private key file (domainname.key) generated in step 3 and store it in a safe place! If you lose this file, you must purchase a new certificate.

  9.  When you are done chmod the files to 600,  chmod 600 * in the certs directory. 


Last Modified: Jul 27, 2011


You are at: Kattare Hosting: Knowledge Base
Comments or feedback? Email: support@kattare.com
Legal: Terms of Service | Privacy Policy | DMCA Procedure | Trademarks
Kattare is Trustwave Certified and Safe Harbor Certified | Rated Safe For Kids by ICRA | All Rights Reserved Worldwide
Copyright © 1997 - 2012 Kättare Internet Services | Processed in 0.012 seconds by pyramid-05 in Corvallis, Oregon