Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2014-09-18 15:50:44.0

TN 8231 - How is a Certificate Signing Request (CSR) generated for Apache HTTP Server using OpenSSL

Question:

How is a Certificate Signing Request (CSR) generated for Apache HTTP Server using OpenSSL?

 

Answer:


The process below will guide you through the steps of creating a Private Key and CSR

 

IMPORTANT: The private key is not to be shared by anyone, sharing of the private key is against best practice. If you require to share the private key it is best to transfer in a secure manner and not through open communication such as unencrypted email. DO NOT provide Entrust with the private key.

 

Launch the OS Terminal or Command Prompt:

For SHA-1 signing algorithm:

Type the following command: openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

For SHA-2 signing algorithm:

Type the following command: openssl req -new -newkey rsa:2048 –sha256 -nodes -keyout server.key -out server.csr

 

PLEASE NOTE: Replace "server.key" and "server.csr" with your own values 

 

Once prompted for a "Common Name" enter the Fully Qualified Domain Name (FQDN) that you wish to secure in the certificate

 

For Wildcard: If you are going to be requesting a Wildcard Certificate you will need to place an asterisk * in front of the domain (e.g. *.entrust.com)

 

You will also be prompted for the following information:

Attribute

Prefix

Description

Example

Country/Region

C

Business Location - Country

CA

State/Province

ST

Business Location - State/Province

Ontario

City/Locality

L

Business Location - City

Ottawa

Organization Unit

OU

Organization Unit if required to be listed*

 Optional*

Organization

O

Organization’s legal business name

Entrust Inc.

Common Name

CN

Domain to be secured by certificate

www.entrust.com


PLEASE NOTE: Do not use a Challenge Password

* If you require an Organization Unit, the value you place will be required to pass verification. If the OU is considered misleading or a registered trademark to a different legal entity it will be removed from certificate that is issued and show up with no value.

Command Output Sample:

[User@localhost ~]$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Generating a 2048 bit RSA private key

.........................................................................+++

............................................+++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CA

State or Province Name (full name) []:Ontario

Locality Name (eg, city) [Default City]:Ottawa

Organization Name (eg, company) [Default Company Ltd]:Entrust Inc.

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:www.entrust.com

Email Address []:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

 

You will now have a Private Key and CSR, the CSR contents are used to submit the request to Entrust to issue the certificate. You can view the contents of the CSR by opening the file within a basic text editor, to confirm the information is correct use the Entrust CSR viewer to parse the information within the CSR: http://www.entrust.net/ssl-technical/csr-viewer.cfm

Affected Products:

  • Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable