Apache Web Server with OpenSSL, mod_ssl

During the online enrollment process you will be required to provide Entrust Certificate Services with a Certificate Signing Request (CSR).

This data is generated from the OpenSSL application, and contains information about your company and web server.

It is important to review this guideline, as Entrust Certificate Services will use this information to generate your certificate.

To generate your Private Key :

1. Select three large (approximately 200 KB) files from your hard drive for use as a seed for your random data. These files are referred to as "randfile1", "randfile2", and "randfile3" in the steps below.
2. Open a terminal window and type the following, single command: $openssl genrsa -des3 -rand randfile1: \ randfile2:randfile3 1024 > \ /usr/local/apache/conf/ssl.key/servername.key This will generate a 1024 bit RSA key pair and store it in the file servername.key.
3. Enter a passphrase when prompted. Please remember the passphrase you choose. If you forget this passphrase you will not be able to use your Entrust Certificate Services web server certificate. If you write down this passphrase, please be sure to store it in a secure location.
4. Back up the file that contains your private key. Please be sure that the backup is stored in a secure location. Someone with access to your private key could decrypt the SSL-protected data sent and received by your web server.

To generate the Certificate Signing Request (CSR):

Do not use any of the following characters in your Certificate Signing Request (CSR): > < ! @ # $ % ^ * ( ) ~ ? / \.

1. In a terminal window, begin the CSR creation by entering the following command:
   $openssl req -new -key servername.key -out \ /usr/local/apache/conf/ssl.csr/servername.csr

   The rest of the CSR creation is interactive. You must supply your company information as accurately as possible to ensure successful submission of your CSR.

   Enter PEM pass phrase:
   Enter the passphrase assigned to servername.key as performed in the previous step.

   Country Name (2 letter code) [AU]:
   Enter the corresponding ISO3166 country code for the country.

   State or Province Name (full name) [Some-State]:
   Enter the corresponding state or province, without abbreviations.

   Locality Name (eg, city) [ ]:
   Supply the city or locality name.

   Organization Name (eg, company) [Internet Widgits Pty Ltd]:
   Supply the name of your company or organization. This information should reflect the officially registered name of your company or organization.

   This organization must own the domain name that appears in Common Name (CN) of your web server.

   Organizational Unit Name (eg, section) [ ]:
   If relevant, supply the name of the division or department

   Common Name (eg, your web server's hostname) [ ]:
   Supply the Common Name (CN) of your web server in the field provided. This name must be identical to the fully qualified domain name of the web server for which you are requesting a certificate.

   If the web server name does not match the common name in the certificate, some browsers will refuse to establish a secure connection with your site.
   Do not specify the protocol (http://), any port numbers or pathnames in the Common Name (CN).
   Do not use wildcards such as * or ?.

   Email Address [ ] :
   Entrust does not accept the use of email attributes in CSRs. Please do not supply an email address in this field. Simply press ENTER to bypass this prompt.

   Please enter the following 'extra' attributes to be sent with your certificate request
   A challenge password []:
   DO NOT USE.

   An optional company name []:
   DO NOT USE.

   The servername.csr file will now contain the CSR that is needed during the enrollment process for Entrust Certificate Services.

2. Verify the CSR's contents by viewing it with this command:
   $ openssl req -noout -text -in servername.csr

Creation of the Private Key and Certificate Signing Request is now complete.

• New - Extended Validation SSL