To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.
Step 1: Create a Keystore and Private Key
Note: The recommended key bit size is 2048-bit. All certificates that will expire after October, 2013 must have a 2048 bit key size
Please use JDK 1.3.1 or later:
If you are running a 1.3 JVM, download JSSE 1.0.2 (or later) from
http://java.sun.com/products/jsse/ . Make it either an installed extension on the system or set an environment variable JSSE_HOME that points to the directory where JSSE is installed.
1. Create a certificate keystore and private key by executing the following command:
Unix: $JAVA_HOME/bin/keytool -genkey -alias <your_alias_name> -keyalg RSA -keystore <your_keystore_filename> -keysize 2048
This command will prompt for the following X.509 attributes of the certificate:
First and last name (Common Name (CN)): Enter the domain of your website (i.e. www.myside.org) in the "first- and lastname" field.. It looks like "www.company.com" or "company.com".
Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California
Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corportation would be XYZ Corporation
Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
Note: VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
2. Specify a password. The default value will be "changeit".
For further information, please refer to the
Tomcat Web site.
Step 2: Generate a CSR
1. The CSR is then created using the following command:
keytool -certreq -keyalg RSA -alias <your_alias_name> -file certreq.csr -keystore <your_keystore_filename>
3. To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
NOTE: When enrolling for your certificate, you will be prompted to select a server platform. Please select Apache as the server platform to ensure that you receive the certificate in the correct format.