Creating a request for a CA-signed certificate
To obtain a signed certificate from a certification authority (CA), you must create a private key and a Certificate Signing Request (CSR) for the domain name or host name on your web server. The private key is initially used to generate a CSR and later to secure and verify connections by using the certificate that is obtained from CA. This topic explains the process of creating the private key and CSR file by using OpenSSL.
You can use these instructions as a reference. However, it is recommended to consult the security department of your organization who can provide you the required signed certificate or can guide you for using the recommended method to request for a signed certificate.
Before you begin
Ensure that OpenSSL is installed in your environment.
To create a private key and CSR
- Log in to the Linux system.
Create a text file named openssl.cnf, and add the following code:
[req] default_bits = 2048 default_md = sha256 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = US ST = ST L = Locality O = Organization OU = Organization Unit CN = hostname.domain.com [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = hostname.domain.com DNS.2 = alternatehostname.domain.com
Update the values of the following parameters according to your TLS policies: C, ST, L, O, and OU.
Remember
The value for the CN or alt_names parameter must match with the fully qualified domain name that is used in the browser to access the server.
At the command prompt, run the following command:
openssl req -new -nodes -config openssl.cnf -keyout hostname.key -out hostname.csr
Where, hostname.key is the private key for the web server, and hostname.csr is the certificate request file.
Open the CSR file in a text editor, and add the begin and end tags to it. Your CSR file will look like this:
-----BEGIN CERTIFICATE REQUEST-----
MIIDEDCCAfgCAQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlNUMREwDwYDVQQH
DAhMb2NhbGl0eTEVMBMGA1UECgwMT3JnYW56aWF0aW9uMR8wHQYDVQQDDBZjbG0t
cHVuLTAxNjE0Mi5ibWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAxvJgROVORIuZGCyjfPriphn5vzKT4RxTH50rNDc8FRV6St+2gWDRtY+q9GaF
ZBrJY88KwTlw8E9rWaGylUmovbdcYZTkC912vr4WkMUbX9/Ch5vYX+7ZndFOQ1wX
8EJE6dysLVF1xet4CiHIorUKK85eYrnV7oZ2m4guUWb+qlUjGQVbEQtkCKdtz1s6
xdi+6ZVm5ObO0cEvffnk87id17GScYyKx/oayHO0KrJqFtwDIR/Q9UWs/Df0nIJb
ynLe8O+3mJDQy8LE37wKBmi/cpAdZ1/zQ1YmQ4+GS0cy8U+tDCUimBwnKwIn0q8g
n3RtycAOEKDV0/aA8zAkc9YbgwIDAQABoGYwZAYJKoZIhvcNAQkOMVcwVTBTBgNV
HREETDBKghZjbG0tcHVuLTAxNjE0Mi5ibWMuY29tghZjbG0tcHVuLTAxNjE0MS5i
bWMuY29tghhjbG0tcHVuLTAxNjE0Mi5ibW1zdXAueHkwDQYJKoZIhvcNAQELBQAD
ggEBAAO3yW5s13FaQ1FIa+A886RuNb1CYIekVN3civdeEe1/zsG9+AjxXSIpNN+K
P+CbNgFQWWeNYXpzQaPWonueGTRyjSNkapQoajRdX7HWNJSco5rU4rj1sk1Lh0T8
LwCHzH4m9h6+KdOeIsmDvylQ7BiSlgTXG5He42e5dKiK+s5HS/m4aDtzuYTByzxi
JjS3jEtHly0p5zYLaQ8VuqIwHQBmS4EjqCCQ+LDrOBPdZrYCt7kmR04NSFduQR25
glzvozSgsaQxL/JTCfwygtGgxr1dc1U9O6fzicdgg95B2hYLZQEsvapl6/lZ35wp
rQffX71gQR3ezQebQN58dtzcTnU=
-----END CERTIFICATE REQUEST-----
Back up the generated private key and CSR files.
Send the CSR to the certificate authority that your organization recommends.
Note
- Request the CA to send the signed certificate in the Base-64 encoded PEM format.
- Request the CA to provide the CA certificate with the .cer or .crt extension.
Verify the signed certificates that you receive from the CA:
If you receive the certificate in the .p7b format, run the following command to change the format to .cer:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
- If you receive the certificate and private key in a *.pfx format, run the following OpenSSL commands to extract the certificate and private key for Apache:
Extract the private key:
openssl pkcs12 -in hostname.pfx -out hostname.key -nodes
The -nodes parameter removes the password from the private key.Extract the certificate:
openssl pkcs12 -in hostname.pfx -clcerts -nokeys -out certifcate.crt
- If you receive the certificate and private key in a *.pem format, run the following OpenSSL commands to extract the certificate and private key for Apache.
Extract the private key:
openssl pkcs12 -in hostname.pem -out hostname.key -nodes
The -nodes parameter removes the password from the private key.- Extract the certificate:
- Extract the certificate in a .der format:
openssl x509 -outform der -in hostname.pem -out certificate.der
- Change the certificate format to .crt:
openssl x509 -inform der -in hostname.der -out hostname.crt
- Extract the certificate in a .der format:
Where to go from here
Install the CA-signed certificate into the web server. For details, see Installing a CA-signed certificate into the embedded web server.
Comments
Log in or register to comment.