Generating a Certificate Request to Send to a CA

Once you have created a key, the next step is to generate a certificate request that you will need to send to the CA of your choice. Make sure you are in the /usr/share/ssl/certs directory and type the following command:

make certreq

Your system will display the following output and will ask you for your password (unless you disabled the password option):

umask 77 ; \ /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -out /etc/httpd/conf/ssl.csr/server.csr Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase:

Type the password that you chose when you were generating your key. Your system will display some instructions and then ask for a series of responses from you. Your inputs will be incorporated into the certificate request. The display, with example responses, will look like this:

You are about to be asked to enter information that will be incorporated into your certificate  request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few  fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:North Carolina Locality Name (eg, city) [Newbury]:Raleigh Organization Name (eg, company) [My Company Ltd]:Test Company Organizational Unit Name (eg, section) []:Testing Common Name (your name or server's hostname) []:test.example.com Email Address []:admin@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

The default answers appear in brackets immediately after each request for input. For example, the first information required is the name of the country where the certificate will be used, shown like the following:

Country Name (2 letter code) [GB]:

The default input, in brackets, is GB. To accept the default, press Enter or fill in your country’s two-letter code. You will have to enter the rest of the inputs (State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, and Email address). All of these should be self-explanatory, but you need to follow these guidelines:

• Do not abbreviate the locality or state. Write them out (for example, St. Louis should be written out as Saint Louis).

• If you are sending this CSR to a CA, be very careful to provide correct information for all of the fields, but especially for the Organization Name and the Common Name. CAs check the information provided in the CSR to determine whether your organization is responsible for what you provided as the Common Name. CAs will reject CSRs that include information perceived as invalid.

• For Common Name, make sure you enter the real name of your secure Web server (a valid DNS name) and not any aliases the server may have.

• The Email Address should be the email address for the Webmaster or system administrator.

• Avoid any special characters like @, #, &, !, and the like. Some CAs will reject a certificate request that contains a special character. So, if your company name includes an ampersand (&), spell it out as and instead of &.

• Do not use either of the extra attributes (A challenge password and An optional company name). To continue without entering these fields, just press Enter to accept the blank default for both inputs.

When you have finished entering your information, the file /etc/httpd/conf/ssl.csr/server.csr is created. This file is your certificate request, ready to send to your CA. After you have decided on a CA, follow the instructions provided on its website. The instructions will tell you how to send your certificate request, any other documentation required, and your payment. After you have fulfilled the CA’s requirements, it will send a certificate to you (usually by email). Save (or copy and paste) the certificate they send you as /etc/httpd/conf/ssl.crt/server.crt.