Certificate Signing Request (CSR) Generation - Official Red Hat Linux Apache/SSL Server

The process of creating a key and a CSR is easy and should only take a few minutes. Please note that the correct commands will depend upon whether you own the Official Red Hat Linux Professional boxed set or the Official Red Hat Linux Professional, International Edition, boxed set.

Generating a Key

1. Use the cd command to move to the /etc/httpd/conf directory.
   
2. As root, type in one of the following three commands to generate your key:
   
   • If you're using Official Red Hat Linux Professional and you want to use the included password feature, type in the following command:
     
     make genkey
     
     Your key will be generated and you will be asked to enter and confirm a password. Your password should be at least eight characters, should include numbers or punctuation and should not be a word in a dictionary. Also, remember that your password is case sensitive.
     
     Please note that you will need to remember and enter this password every time you start your secure Web server, so don't forget it.
     
     
   • If you're using Official Red Hat Linux Professional and you don't want to be required to type in a password every time you start your secure Web server, use the following command instead of make genkey to create your key (note that the following command should be typed in all on one line):
     
     /usr/sbin/sslgenrsa -rand /dev/urandom -out ssl.key/server.key 1024
     
     Then use the following command to set the correct permissions on your key:
     
     chmod go-rwx ssl.key/server.key
     
     If you use the above commands to create your key, you will not need to use a password to start your secure Web server. However, we don't recommend that you disable the password feature for your secure Web server, since it decreases the level of security for your server.
     
     
   • If you're using Official Red Hat Linux Professional, International Edition, type in the following single command, all on one line:
     
     /usr/bin/openssl genrsa -rand /dev/urandom -out /etc/httpd/conf/server.key 1024
     
     You will not be required to enter a password if you're using Official Red Hat Linux Professional, International Edition.
     
     
3. Your key will be created and saved to a file named server.key. If you're using Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key directory. If you're using Official Red Hat Linux Professional, International Edition, server.key will be located in /etc/httpd/conf.
   
   The server.key file should be owned by root and should not be accessible to any other user. Make a backup copy of this file and keep the backup copy in a safe, secure place. You need the backup copy because if you lose the server.key file after using it to create your CSR and purchase a certificate, your certificate will no longer work and we will not be able to help you. Your only option would be to apply for a new certificate.
   

Generating a CSR

After you've created a key, you can create a CSR.

1. In the /etc/httpd/conf directory, become root and type in one of the following two commands:
   
   If you're using Official Red Hat Linux Professional, type in the following command:
   
   make certreq
   
   If you're using Official Red Hat Linux Professional, International Edition, type in the following single command (all on one line):
   
   /usr/bin/openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr
   
   
2. You will be prompted for your password (if you used a password when you generated your key). Type in the password, if necessary.
   
   
3. You'll see some instructions and you will be prompted for responses. Your inputs will be incorporated into the CSR. The complete display, with example responses, will look like this:
   
   You are about to be asked to enter information
   that will be incorporated into your certificate
   request.
   What you are about to enter is what is called a
   Distinguished Name or a DN.
   There are quite a few fields but you can leave
   some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   ---
   Country Name (2 letter code) [US]: GB
   State or Province Name []: UK installations can use County name
   Locality (City) Name []: Your city or . if not desired
   Company (Organisation) Name []: Your organisation name
   Department Name []: Your Department name or . if not desired
   Server Host Name []: fully qualified domain name e.g. test.mydomain.com
   Administrators E-mail address []:    leave this blank
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:
   
   The default answers appear in brackets [] immediately after each request for input. For example, the first information required is the name of the country where the certificate will be used:
   
   Country Name (2 letter code) [US]:
   
   The default input, in brackets, is US. To accept the default, just press Enter or fill in the correct two-letter ISO code for your country.
   
   You will have to type in the rest of the inputs (State or Province Name, Locality (City) Name, Company (Organisation) Name, Department Name, Server Host Name and Administrator's e-mail address). All of these should be self-explanatory but you need to follow these guidelines:
   
   
   • For Server Host Name, make sure you type in the real name of your secure Web server (a valid DNS name) and not any aliases which the server may have.
     
   • Avoid any special characters like @, #, &, !, etc. Special characters can sometimes cause problems in CSRs. So if your company name includes an ampersand (&), spell it out as "and" instead of "&."
     
   • You don't need to use either of the extra attributes (A challenge password and An optional company name). To continue without entering these fields, just press Enter to accept the blank default for both inputs.
     
4. When you've finished entering your information, a file named server.csr will be created. If you're using Official Red Hat Linux Professional, server.csr will be located in the /etc/httpd/conf/ssl.csr directory. If you're using Official Red Hat Linux Professional, International Edition, server.csr will be located in /etc/httpd/conf. The server.csr file contains your certificate request, ready to be included in the enrolment web form
   
   When you insert the certificate request into the enrolment web form, be sure to get the entire text of the certificate, including the
   -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines, but don't include any leading or trailing whitespace before the beginning and ending hyphens.
   
5. If you need more information, see the documentation included with your boxed set.
   

Copyright © Trustis Limited 2010.  All Rights Reserved
This document is licensed for use only in conjunction with the use of Trustis Trust Services