Generate a CSR with OpenSSL
This article will explain how you can create and install an SSL certificate. The same procedure applies in several different cases such as in case you are getting a traditional SSL from (e.g. Verisign), if you are using a self-signed certificate or the '*' Wildcard certificate.
Prerequisites
Make sure that the Openssl is installed on your server, this is a common package and will be available on all of the major distros through their package installer. In order to check if it is installed, issue the following command:
# rpm -qa | grep -i openssl
The above command should return the following packages, or something similar:
openssl-0.9.8e-7.el5 openssl-0.9.8e-7.el5 openssl-devel-0.9.8e-7.el5
If that is not the case run the following:
# yum install openssl openssl-devel
Generate the RSA key
Create a RSA key for your Apache server, since every distro is different in where the certificate is placed, we are just going to place it in an arbitrary spot:
# mkdir ~/domain.com.ssl/ # cd ~/domain.com.ssl/
Type the following command to generate a private key.
# openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048
Create a CSR
In order to create a CSR with the RSA private key, type the following (output will be PEM format):
# openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr
When creating a CSR you must follow certain conventions. Enter the information to be displayed in the certificate. The following characters can not be used for the Organization Name or the Organizational Unit: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
| DN Field | Explanation | Example |
| Common Name | The fully qualified domain name for your web server. This must be an exact match. | If you intend to secure the URL https://www.yourdomain.com, then your CSR's common name must be www.yourdomain.com. If you plan on getting a wildcard certificate make sure to prefix your domain with an asterisk, example: *.domain.com. |
| Organization | The exact legal name of your organization. Do not abbreviate your organization name. | domain.com |
| Organization Unit | Section of the organization | IT |
| City or Locality | The city where your organization is legally located. | Wellesley Hills |
| State or Province | The state or province where your organization is legally located. Can not be abbreviated. | Massachusetts |
| Country | The two-letter ISO abbreviation for your country. | US |
Do not enter extra attributes at the prompt.
- Warning: Leave the challenge password blank (press enter)
Verify your CSR
# openssl req -noout -text -in ~/domain.com.ssl/domain.com.csr
Submit your CSR
From this point you have to take your CSR that you created here and submit it to a certificate authority.