How to Generate a CSR for Stronghold

A key pair must be created for the server in order to generate a CSR. It is important for the key pair and the digital certificate to not be separated. If the password or the public/private key file is lost or amended before the SSL certificate is installed, the SSL certificate will need to be re-issued. In order for the installation to be successful, the private key, CSR, and the digital certificate must all match.

The CSR needs to contain the following attributes:

a. Country Name: Use the two-letter code without punctuation for country, for example: US

b. State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Ohio

c. Locality or City: The locality field is the city or town, for example: Atlanta

d. Company: If your company or department have an &, @, or any other symbol in its name, you must spell it out or omit the characters to enroll.

e. Organizational Unit: This field is optional but can be useful in helping identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization or department unit making the request.

f. Common name: The Common Name is the Host + Domain name. It looks like "" or ""

NOTE: SSL certificates can only be used on the Web server using the Common Name specified during enrollment. For example, a certificate for the domain "" will receive a warning if accessing a site named "" or "", because the URLs are different than the original domain name, "".

Generate a Key Pair

  1. Run genkey, specifying the name of the host or virtual host: genkey hostname. The genkey script displays the filenames and locations of the key file and CSR file it will generate: Key file: /usr/local/www/sslhostname.key CSR file: /usr/local/www/sslhostname.cert

    Note: If you already have a key for your server, run genreq [servername] to generate only the CSR.

  2. Press Enter. The genkey script reminds you to be sure you are not overwriting an existing key pair and certificate.

  3. Enter a key size in bits when prompted. We recommend using the largest key size available: 2048 bits.

  4. Enter random key strokes when prompted. Stop when the counter reaches zero and genkey beeps. This random data to create a unique public and private key pair.

  5. Enter y to create the key pair and CSR when prompted.

  6. Select you Certificate Authority or certificate brand.

  7. Enter all of the information requested and press Enter. Back up your key file and CSR on a floppy disk and store the disk in a secure location. If you lose your private key or forget the password, you will not be able to install your Secure Server ID and will need to request and purchase a new one.

  8. You have just created a key pair and a CSR. Open the file in a text editor that does not add extra characters (Notepad or Vi are recommended) to copy and paste the information into the enrollment form.

  9. Verify your CSR