Once you have created a key, the next step is to generate a certificate
request which you will need to send to the CA of your choice. Type in
the following command:
Your system will display the following output and will ask you for
your password (unless you disabled the password option):
umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key
-out /etc/httpd/conf/ssl.csr/server.csr
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
|
Type in the password that you chose when you were generating your key.
Your system will display some instructions and then ask for a series of
responses from you. Your inputs will be incorporated into the
certificate request. The display, with example responses, will look
like this:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:North Carolina
Locality Name (eg, city) []:Durham
Organization Name (eg, company) [Internet Widgits]:Test Company
Organizational Unit Name (eg, section) []:Testing
Common Name (your name or server's hostname) []:test.example.com
Email Address []:admin@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: |
The default answers appear in brackets
[] immediately after each request for
input. For example, the first information required is the name of the
country where the certificate will be used, shown like the following:
Country Name (2 letter code) [AU]:
|
The default input, in brackets, is AU. To accept
the default, just press [Enter], or fill in your
country's two letter code.
You will have to type in the rest of the inputs (State
or Province Name, Locality
Name, Organization
Name, Organizational Unit
Name, Common Name,
and Email address). All of these
should be self-explanatory, but you need to follow these guidelines:
Do not abbreviate the locality or state. Write them out (for
example, St. Louis should be written out as Saint Louis).
If you are sending this CSR to a CA, be very careful to provide
correct information for all of the fields, but especially for the
Organization Name and the
Common Name. CAs check the
information provided in the CSR to determine whether your
organization is responsible for what you provided as the
Common Name. CAs will reject CSRs
which include information they perceive as invalid.
For Common Name, make sure you type
in the real name of your secure Web server (a valid DNS
name) and not any aliases which the server may have.
The Email Address should be the
email address for the webmaster or system administrator.
Avoid any special characters like @, #, &, !, etc. Some CAs will
reject a certificate request which contains a special character.
So, if your company name includes an ampersand (&), spell it out as
"and" instead of "&."
Do not use either of the extra attributes (A
challenge password and An
optional company name). To continue without
entering these fields, just press [Enter] to accept
the blank default for both inputs.
When you have finished entering your information, a file named
server.csr will be created. This file is your
certificate request, ready to send to your CA.
After you have decided on a CA, follow the instructions they provide on
their website. Their instructions will tell you how to send your
certificate request, any other documentation that they require, and your
payment to them.
After you have fulfilled the CA's requirements, they will send a
certificate to you (usually by email). Save (or cut and paste) the
certificate that they send you as
/etc/httpd/conf/ssl.crt/server.crt.
