# ./usr/local/ssl/bin/openssl req -new -key www.example.com.key -out www.example.com.csr To get a certificate issued by a CA, you must first submit what is called a certificate signing request. As explained earlier, the request contains data about the entity requesting the certificate and the public key. This command creates such a request. You will be prompted to provide several pieces of information, as shown in Listing 7.1. Listing 7.1. Using openssl to Generate a Certificate Request
It is important that the Common Name field entry matches the address that visitors to your website will type in their browsers. This is one of the checks that the browser will perform for the remote server certificate. If the names differ, a warning indicating the mismatch will be issued to the user. You can now submit the certificate signing request file with a CA for processing. The exact process will vary for each entity. You can find an extensive list of CAs at http://www.pki-page.org/. Verisign, Thawte, GeoTrust, and Equifax are well-known commercial CAs. There are also a number of community CAs, such as http://www.cacert.org/. |