How to Generate a CSR for Apache Servers

You will need to create a key pair for your server to generate a CSR. These two items are a digital certificate key pair and must not be separated. Losing your public/private key file or password will result in you havinf to generate a new one, causing your SSL Certificate to no longer match. You will have to order a new SSL Certificate and which may result in a charge.

Step 1: Generate Private Key

Type the following command at the prompt:

openssl genrsa -des3 -out (private key file name).key 2048

This command generates a 2048 bit RSA private key and stores it in the file www.mydomain.com.key.

When prompted for a pass phrase: Enter a secure password and remember it for this pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL.

NOTE: Omit the -des3 option when generating the private key to bypass the pass phrase requirement.

Step 2: Generate the CSR

Type the following command at the prompt:

openssl req -new -key (private key file name).key -out (csr file name).csr

This command will prompt for the following X.509 attributes of the certificate:

a. Country Name: Use the two-letter code without punctuation for country, for example: US

b. State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Ohio

c. Locality or City: The locality field is the city or town, for example: Atlanta

d. Company: If your company or department have an &, @, or any other symbol in its name, you must spell it out or omit the characters to enroll.

e. Organizational Unit: This field is optional but can be useful in helping identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization or department unit making the request.

f. Common name: The Common Name is the Host + Domain name. It looks like "www.company.com" or "company.com"

SSL certificates can only be used on the Web server using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because the URLs are different than the original domain name, "domain.com".

When generating the CSR, please do not enter an email address, challenge password, or an optional company name.

A public/private key pair has now been created. The private key (www.domain.com.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (certrequest.csr), will be for certificate enrollment.
Open the file in a text editor such as Notepad or Vi to copy and paste the information into the enrollment form. Be sure to save it as a .txt file. Do not use Microsoft Word as it may insert extra hidden characters that will alter the contents of the CSR.

Verify your CSR

Step 3: Backup the private key

It is recommended to back up the .key file and to store the corresponding pass phrase. It is a good idea to create a copy of this file onto a diskette or other removable media. It is also a good idea to back up the private key in the event of a server failing although it is not required to do so.