To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.
The CSR needs to contain the following attributes:
- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
- Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit (OU): This field is the name of the department or organization unit making the request.
- Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".
Note: VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
VeriSign recommends that you contact the Stronghold vendor for additional information.
Generate a Key Pair
Retail customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after October, 2013 must have a 2048 bit key size.
MPKI for SSL customers Note: The recommended key bit size is 2048-bit. All certificates that will expire after December, 2013 must have a 2048 bit key size.
Stronghold keys and certificates are managed through three scripts: genkey, getca and genreq. These are part of the normal Stronghold distribution. Keys and certificates are stored in the directory$SSLTOP/private/, where SSLTOP is typically /usr/local/ssl. To generate a key pair and CSR for your server:
- Run genkey, specifying the name of the host or virtual host: genkey hostname. The genkey script displays the filenames and locations of the key file and CSR file it will generate:
Key file: /usr/local/www/sslhostname.key
CSR file: /usr/local/www/sslhostname.cert
Note: If you already have a key for your server, run genreq [servername] to generate only the CSR.
- Press Enter. The genkey script reminds you to be sure you are not overwriting an existing key pair and certificate.
- When prompted, enter a key size in bits. We recommend using the largest key size available: 2048 bits.
- When prompted, enter random key strokes. Stop when the counter reaches zero and genkey beeps. This random data to create a unique public and private key pair.
- When prompted, enter y to create the key pair and CSR.
- Select VeriSign as your CA.
- Enter all of the information requested and press Enter. Back up your key file and CSR on a floppy disk and store the disk in a secure location. If you lose your private key or forget the password, you will not be able to install your Secure Server ID and will need to request and purchase a new one from VeriSign.
- You have just created a key pair and a CSR. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
- Verify your CSR
- Go to Enrollment.