Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2016-07-05 15:46:21.0

How is a Certificate Signing Request (CSR) generated for Apache HTTP Server using OpenSSL

Article Number: 46326

Question:

How is a Certificate Signing Request (CSR) generated for Apache HTTP Server using OpenSSL?

 

Answer:

 

The process below will guide you through the steps of creating a Private Key and CSR

 

IMPORTANT: The private key is not to be shared by anyone, sharing of the private key is against best practice. If you require to share the private key it is best to transfer in a secure manner and not through open communication such as unencrypted email. DO NOT provide Entrust with the private key.

 

Launch the OS Terminal or Command Prompt:
 

For SHA-1 signing algorithm:

Type the following command: openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
 

For SHA-2 signing algorithm:

Type the following command: openssl req -new -newkey rsa:2048 –sha256 -nodes -keyout server.key -out server.csr
 

 

PLEASE NOTE: Replace "server.key" and "server.csr" with your own values 

     

    Once prompted for a "Common Name" enter the Fully Qualified Domain Name (FQDN) that you wish to secure in the certificate

       

      For Wildcard: If you are going to be requesting a Wildcard Certificate you will need to place an asterisk * in front of the domain (e.g. *.entrust.com)

         

        You will also be prompted for the following information:
           

          Attribute

          Prefix

          Description

          Example

          Country/Region

          C

          Business Location - Country

          CA

          State/Province

          ST

          Business Location - State/Province

          Ontario

          City/Locality

          L

          Business Location - City

          Ottawa

          Organization Unit

          OU

          Organization Unit if required to be listed*

           Optional*

          Organization

          O

          Organization’s legal business name

          Entrust Inc.

          Common Name

          CN

          Domain to be secured by certificate

          www.entrust.com

           
          PLEASE NOTE: Do not use a Challenge Password
           
          * If you require an Organization Unit, the value you place will be required to pass verification. If the OU is considered misleading or a registered trademark to a different legal entity it will be removed from certificate that is issued and show up with no value.
           

          Command Output Sample:

          [User@localhost ~]$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

          Generating a 2048 bit RSA private key

          .........................................................................+++

          ............................................+++

          writing new private key to 'server.key'

          -----

          You are about to be asked to enter information that will be incorporated

          into your certificate request.

          What you are about to enter is what is called a Distinguished Name or a DN.

          There are quite a few fields but you can leave some blank

          For some fields there will be a default value,

          If you enter '.', the field will be left blank.

          -----

          Country Name (2 letter code) [XX]:CA

          State or Province Name (full name) []:Ontario

          Locality Name (eg, city) [Default City]:Ottawa

          Organization Name (eg, company) [Default Company Ltd]:Entrust Inc.

          Organizational Unit Name (eg, section) []:

          Common Name (eg, your name or your server's hostname) []:www.entrust.com

          Email Address []:

           

          Please enter the following 'extra' attributes

          to be sent with your certificate request

          A challenge password []:

          An optional company name []:

           

           

          You will now have a Private Key and CSR, the CSR contents are used to submit the request to Entrust to issue the certificate. You can view the contents of the CSR by opening the file within a basic text editor, to confirm the information is correct use the Entrust CSR viewer to parse the information within the CSR: http://www.entrust.net/ssl-technical/csr-viewer.cfm

             

            TN8231

            Affected Products:

            • Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable