To generate your CSR, you will need to log in to your server and use the OpenSSL software to generate a CSR and private key.

  1. Log in to your server, and enter the following command:

openssl req -nodes -newkey rsa:2048 -sha1 -keyout myserver.key -out server.csr

This will generate two files: a CSR called ‘server.csr’ and a 2048-bit private key called ‘myserver.key’.

  1. You will be prompted to enter some information for your CSR:

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: MA
Locality Name (eg, city) []: Boston
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
Email Address []:

Please enter the following ‘extra’ attributes to be sent with your certificate request

A challenge password []:
An optional company name []:

The ‘CN’ field (Common Name) is where you should enter the fully qualified domain name of the website you require the certificate for.
Note: for wildcard certificates, the Common Name should be in the format: *.mydomain.com

  1. Your CSR is now generated. Open the ‘server.csr’ file with a text-editor and copy and paste the contents into the enrollment form when requested.

Notes:
The ‘myserver.key’ file should be kept secure (e.g. readable only by root on linux systems).

Removing the ‘-nodes’ option from the openssl command will request a password and encrypt the private key. This can increase security, but note that the password will be required each time Apache is restarted.

EV certificates require a minimum of a 1024-bit keysize if valid before 2011, and 2048-bit if they are valid into 2011. We recommend that a 2048-bit keysize is the minimum used for all certificates.

Leave a Reply

Your email address will not be published. Required fields are marked *