How to Generate a CSR for Red Hat Linux

A key pair must be created for the server in order to generate a CSR. It is important for the key pair and the digital certificate to not be separated. If the password or the public/private key file is lost or amended before the SSL certificate is installed, the SSL certificate will need to be re-issued. In order for the installation to be successful, the private key, CSR, and the digital certificate must all match.

1. Use the cd command to move to the /etc/httpd/conf directory.
2. As root, type in one of the following three commands to generate your key: A. If you're using Official Red Hat Linux Professional and you want to use the included password feature, type in the following command:
   
   make genkey
   
   
   Once your key is generated, you will be asked to enter and confirm a password. Your password should be at least eight characters, include numbers or punctuation and should not be a word in a dictionary. Remember that your password is case sensitive.
   
   Please make note of your password because you will need to enter this password every time you start your secure Web server.
   
   B. Type the following command, all on one line, instead of "make genkey" to create your key if you are using Official Red Hat Linux Professional and you don't want to be required to type in a password every time you start your secure Web server:
   
   /usr/sbin/sslgenrsa -rand /dev/urandom -out ssl.key/server.key 2048
   
   Then use the following command to set the correct permissions on your key:
   
   chmod go-rwx ssl.key/server.key
   
   If you use the above commands to create your key, you will not need to use a password to start your secure Web server. However, we don't recommend that you disable the password feature for your secure Web server, since it decreases the level of security for your server.
   
   
   C. Type in the following single command all on one line if you are using Official Red Hat Linux Professional International Edition:
   
   /usr/bin/openssl genrsa -rand /dev/urandom -out /etc/httpd/conf/server.key 1024
   
   If you're using Official Red Hat Linux Professional International Edition, you will not be required to enter a password.
   
   
3. Your key will be created and saved to a file named server.key.
   
   If you're using Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key directory.
   
   If you're using Official Red Hat Linux Professional International Edition, server.key will be located in /etc/httpd/conf.
   
   The server.key file should be owned by root and should not be accessible to any other user. Make a backup copy of this file and keep the backup copy in a safe place. You need the backup copy because if you lose the server.key file after using it to create your CSR and purchase a certificate, your certificate will no longer work and we will not be able to help you. Your only option would be to apply for a new certificate.
   
   

1. In the /etc/httpd/conf directory, become root and type in one of the following two commands:
   
   A. Type in the following command if you're using Official Red Hat Linux Professional:
   
   make certreq
   
   B. Type in the following single command (all on one line) if you're using Official Red Hat Linux Professional International Edition:
   
   /usr/bin/openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr
   
   
2. You will be prompted for your password (if you used a password when you generated your key). Type in the password, if necessary.
   
   
3. You'll see some instructions and you will be prompted for responses for the following X.509 attributes of the certificate (Your inputs will be incorporated into the CSR):
   
   a. Country Name: Use the two-letter code without punctuation for country, for example: US
   
   b. State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Ohio
   
   c. Locality or City: The locality field is the city or town, for example: Atlanta
   
   d. Company: If your company or department have an &, @, or any other symbol in its name, you must spell it out or omit the characters to enroll.
   
   e. Organizational Unit: This field is optional but can be useful in helping identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization or department unit making the request.
   
   
   f. Common name: The Common Name is the Host + Domain name. It looks like "www.company.com" or "company.com"
   
   SSL certificates can only be used on the Web server using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because the URLs are different than the original domain name, "domain.com".
   
   Please do not enter your email address, challenge password or an optional company name when generating the CSR.
   
   
4. A file named server.csr will be created. If you're using Official Red Hat Linux Professional, server.csr will be located in the /etc/httpd/conf/ssl.csr directory when you've finished entering your information.
   
   
5. You have just created a key pair and a CSR.
   
   
6. Verify your CSR
   
   
7. The server.csr file contains your certificate request. Open the file in a text editor that does not add extra characters (Notepad or Vi are recommended) to copy and paste the information into the enrollment form.