Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2011-01-18 09:48:52.0

TN 8231 - How is a Certificate Signing Request (CSR) generated for Apache HTTP Server using OpenSSL

Question:

How is a Certificate Signing Request (CSR) generated for Apache HTTP Server using OpenSSL?

 

 

Answer:

If you require an SSL certificate to secure a domain hosted using Apache server, you need to first generate a Certificate Signing Request (CSR). To generate a new CSR you need to:

 

  1. Launch command prompt or your system console and run the OpenSSL tool from where it was installed on your system (for example /usr/local/ssl/bin OR usr/sfw/bin as in our test system used for this example).

  1. Once openssl is started, generate a new private key to use for securing the domain and to use for generating the new CSR.

If you have already generated a private key go to step: 3

To generate a private key use to command:

 

genrsa –out <path to key storing directory>/<file name>.key –des3 2048

 

you will be asked to provide and verify a password to secure this new private key. Provide this password.





  1. Use the openssl tool to generate your new CSR from the private key

To generate your new CSR using openssl use the following command:

 

req –new –key <private key directory>/<private key>.key –out <CSR directory>/<CSR file name>.csr

 

You will be asked to provide the password for the private key file so enter it.

You will be asked to enter the Distinguished Name (DN) to be defined in the CSR as follows (mandatory fields are: country, organization name, and common name):

 

Attribute

Prefix

Description

Example

Country/Region

c

Business location - country

CA

State/Province

st

Business location – state/province

Ontario

City/Locality

l

Business location - city

Ottawa

Organizational Unit

ou

Department in the organization

 

Organization

o

Organization’s legal business name

Entrust Inc.

Common name

cn

Domain to be secured by certificate

test.entrust.com

 

Note: Do not use a challenge password.

 

 


 

  1. Now you should have a new CSR for your domain ready to be used. The content of this CSR is what you need to submit to Entrust when you are requesting/generating your SSL certificate. The CSR file should contain content similar to this:

 

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIEhDCCA2wCAQAwgYAxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8w

DQYDVQQHDAZPdHRhd2ExFTATBgNVBAoMDEVudHJ1c3QgSW5jLjEZMBcGA1UECwwQ

Q2VydGlmaWNhdGUgRGVwLjEcMBoGA1UEAwwTaWlzN2NlcnQuZW50cnVzdC5jYTCC

.

.

.

OOqRZhp/bkDjEWW+OO1Z7hAnB1gcN4t1Q7TO3gZwyO9Yarv7gkPXCsCIMwJkhmzB

X4n6sJ5KGAUQj+Qx6VDeyTzG6w8hTvXH0ILxVb7LYg12vcrt2O3wKdBwRdcPNtLO

8nK2lCzuiMwL+cM8XJroaYCtr8A8mDHLCTQHy1y5PReZ2wYIChPWVwzzrhWo7XZ5

Vmcczl6amkU=

-----END NEW CERTIFICATE REQUEST-----


  1. To verify the content of your new CSR, run the following openssl command:

req –noout –text –in <path to CSR file>/<file name>.csr

 

This will display the information specified in the CSR file in plain text format.




  1. Open the generated .csr file containing the newly created Certificate signing Request (CSR) and copy its content into the specified field when you are requesting a certificate from Entrust.

Note: you need to copy the full CSR including the

-----BEGIN NEW CERTIFICATE REQUEST-----

and the

-----END NEW CERTIFICATE REQUEST-----

lines. Make sure that here are no trailing spaces or carriage returns in the CSR.

 

For more information about OpenSSL see: http://www.openssl.org/docs/apps/openssl.html

Affected Products:

  • Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable