Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

26.7. Generating a Certificate Request to Send to a CA

Once you have created a key, the next step is to generate a certificate request which you need to send to the CA of your choice. Make sure you are in the /usr/share/ssl/certs/ directory, and type the following command:

make certreq

Your system displays the following output and asks you for your passphrase (unless you disabled the passphrase option):

umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key 
-out /etc/httpd/conf/ssl.csr/server.csr
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase:
	

Type in the passphrase that you chose when you were generating your key unless you don't need to. Next, your system displays some instructions and then ask for a series of responses from you. Your inputs are incorporated into the certificate request. The display, with example responses, looks similar to the following:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:North Carolina
Locality Name (eg, city) [Newbury]:Raleigh
Organization Name (eg, company) [My Company Ltd]:Test Company
Organizational Unit Name (eg, section) []:Testing
Common Name (your name or server's hostname) []:test.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The default answers appear in brackets ([]) immediately after each request for input. For example, the first information required is the name of the country where the certificate is to be used, shown like the following:

Country Name (2 letter code) [GB]:

The default input, in brackets, is GB. Accept the default by pressing [Enter] or fill in your country's two letter code.

You have to type in the rest of the values. All of these should be self-explanatory, but you must follow these guidelines:

  • Do not abbreviate the locality or state. Write them out (for example, St. Louis should be written out as Saint Louis).

  • If you are sending this CSR to a CA, be very careful to provide correct information for all of the fields, but especially for the Organization Name and the Common Name. CAs check the information provided in the CSR to determine whether your organization is responsible for what you provided as the Common Name. CAs rejects CSRs which include information they perceive as invalid.

  • For Common Name, make sure you type in the real name of your secure server (a valid DNS name) and not any aliases which the server may have.

  • The Email Address should be the email address for the webmaster or system administrator.

  • Avoid special characters like @, #, &, !, and etc. Some CAs reject a certificate request which contains a special character. If your company name includes an ampersand (&), spell it out as "and" instead of "&."

  • Do not use either of the extra attributes (A challenge password and An optional company name). To continue without entering these fields, just press [Enter] to accept the blank default for both inputs.

The file /etc/httpd/conf/ssl.csr/server.csr is created when you have finished entering your information. This file is your certificate request, ready to send to your CA.

After you have decided on a CA, follow the instructions they provide on their website. Their instructions tell you how to send your certificate request, any other documentation that they require, and your payment to them.

After you have fulfilled the CA's requirements, they send a certificate to you (usually by email). Save (or cut and paste) the certificate that they send you as /etc/httpd/conf/ssl.crt/server.crt. Be sure to keep a backup of this file.

 
 
  Published under the terms of the GNU General Public License Design by Interspire