Page tree

Skip to end of metadata
Go to start of metadata

To obtain a signed certificate from a certification authority (CA), you must create a private key and a Certificate Signing Request (CSR) for the domain name or host name on your web server. The private key is initially used to generate a CSR and later to secure and verify connections by using the certificate that is obtained from CA. This topic explains the process of creating the private key and CSR file by using OpenSSL.

You can use these instructions as a reference. However, it is recommended to consult the security department of your organization who can provide you the required signed certificate or can guide you for using the recommended method to request for a signed certificate.

Before you begin

Ensure that OpenSSL is installed in your environment.

To create a private key and CSR

  1. Log in to the Linux system.
  2. Create a text file named openssl.cnf, and add the following code:

    [req]
    default_bits = 2048
    default_md = sha256
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    prompt = no
    [req_distinguished_name]
    C = US
    ST = ST
    L = Locality
    O = Organization
    OU = Organization Unit
    CN = hostname.domain.com
    [req_ext]
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = hostname.domain.com
    DNS.2 = alternatehostname.domain.com
  3. Update the values of the following parameters according to your TLS policies: C, ST, L, O, and OU.

    Remember

    The value for the CN or alt_names parameter must match with the fully qualified domain name that is used in the browser to access the server.

  4. At the command prompt, run the following command:

    openssl req -new -nodes -config openssl.cnf -keyout hostname.key -out hostname.csr

    Where, hostname.key is the private key for the web server, and hostname.csr is the certificate request file.

  5. Open the CSR file in a text editor, and add the begin and end tags to it. Your CSR file will look like this:

    -----BEGIN CERTIFICATE REQUEST-----

    MIIDEDCCAfgCAQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlNUMREwDwYDVQQH

    DAhMb2NhbGl0eTEVMBMGA1UECgwMT3JnYW56aWF0aW9uMR8wHQYDVQQDDBZjbG0t

    cHVuLTAxNjE0Mi5ibWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC

    AQEAxvJgROVORIuZGCyjfPriphn5vzKT4RxTH50rNDc8FRV6St+2gWDRtY+q9GaF

    ZBrJY88KwTlw8E9rWaGylUmovbdcYZTkC912vr4WkMUbX9/Ch5vYX+7ZndFOQ1wX

    8EJE6dysLVF1xet4CiHIorUKK85eYrnV7oZ2m4guUWb+qlUjGQVbEQtkCKdtz1s6

    xdi+6ZVm5ObO0cEvffnk87id17GScYyKx/oayHO0KrJqFtwDIR/Q9UWs/Df0nIJb

    ynLe8O+3mJDQy8LE37wKBmi/cpAdZ1/zQ1YmQ4+GS0cy8U+tDCUimBwnKwIn0q8g

    n3RtycAOEKDV0/aA8zAkc9YbgwIDAQABoGYwZAYJKoZIhvcNAQkOMVcwVTBTBgNV

    HREETDBKghZjbG0tcHVuLTAxNjE0Mi5ibWMuY29tghZjbG0tcHVuLTAxNjE0MS5i

    bWMuY29tghhjbG0tcHVuLTAxNjE0Mi5ibW1zdXAueHkwDQYJKoZIhvcNAQELBQAD

    ggEBAAO3yW5s13FaQ1FIa+A886RuNb1CYIekVN3civdeEe1/zsG9+AjxXSIpNN+K

    P+CbNgFQWWeNYXpzQaPWonueGTRyjSNkapQoajRdX7HWNJSco5rU4rj1sk1Lh0T8

    LwCHzH4m9h6+KdOeIsmDvylQ7BiSlgTXG5He42e5dKiK+s5HS/m4aDtzuYTByzxi

    JjS3jEtHly0p5zYLaQ8VuqIwHQBmS4EjqCCQ+LDrOBPdZrYCt7kmR04NSFduQR25

    glzvozSgsaQxL/JTCfwygtGgxr1dc1U9O6fzicdgg95B2hYLZQEsvapl6/lZ35wp

    rQffX71gQR3ezQebQN58dtzcTnU=

    -----END CERTIFICATE REQUEST-----

  6. Back up the generated private key and CSR files.

  7. Send the CSR to the certificate authority that your organization recommends.

    Note

    • Request the CA to send the signed certificate in the Base-64 encoded PEM format.
    • Request the CA to provide the CA certificate with the .cer or .crt extension.
  8. Verify the signed certificates that you receive from the CA:

    • If you receive the certificate in the .p7b format, run the following command to change the format to .cer:

      openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

    • If you receive the certificate and private key in a *.pfx format, run the following OpenSSL commands to extract the certificate and private key for Apache:
      • Extract the private key:
        openssl pkcs12 -in hostname.pfx -out hostname.key -nodes
        The -nodes parameter removes the password from the private key. 

      • Extract the certificate:
        openssl pkcs12 -in hostname.pfx -clcerts -nokeys -out certifcate.crt

    • If you receive the certificate and private key in a *.pem format, run the following OpenSSL commands to extract the certificate and private key for Apache. 
      • Extract the private key:
        openssl pkcs12 -in hostname.pem -out hostname.key -nodes
        The -nodes parameter removes the password from the private key. 

      • Extract the certificate:
        1. Extract the certificate in a .der format:
          openssl x509 -outform der -in hostname.pem -out certificate.der
        2. Change the certificate format to .crt:
          openssl x509 -inform der -in hostname.der -out hostname.crt

Where to go from here

Install the CA-signed certificate into the web server. For details, see Installing a CA-signed certificate into the embedded web server.