★ CSR FAQ

Generating a CSR

This page is intended for customers who use our dedicated servers running Linux. Our Linux dedicated servers uses Apache and mod_ssl. The following discusses how to generate a Certificate Signing Request (CSR) so that you obtain a SSL certificate from a valid certificate signing authority.
Key and CSR Generation Instructions

First you have to know the Fully Qualified Domain Name (FQDN) of the website for which you want to request a certificate. When you want to access your website through https://www.virtualhost.com/ then the FQDN of your website is www.virtualhost.com.
Second, select five large and relatively random files from your hard drive (compressed log files are a good start). These will act as your random seed enhancers. We refer to them as file1:file2:...:file5 below.
Generate the Key with the following command:
$ openssl genrsa -des3 \ -rand file1:file2:...:file5 \ -out www.virtualhost.com.key 1024

This command will generate 1024 bit RSA Private Key and stores it in the file www.virtualhost.com.key. It will ask you for a pass phrase: use something secure and remember it. Your certificate will be useless without the key. If you don't want to protect your key with a pass phrase (only if you absolutely trust that server machine, and you make sure the permissions are carefully set so only you can read that key) you can leave out the -des3 option above.
Now PLEASE backup your www.virtualhost.com.key file and make a note of the pass phrase. A good choice is to backup this information onto a diskette or other removeable media.
Generate the CSR with the following command:
$ openssl req -new \ -key www.virtualhost.com.key \ -out www.virtualhost.com.csr

This command will prompt you for the X.509 attributes of your certificate. Remember to give the name www.virtualhost.com when prompted for `Common Name (eg, YOUR name)'. Do not enter your personal name here. We are requesting a certificate for a webserver, so the Common Name has to match the FQDN of your website (a requirement of the browsers).
Generate a temporary self-signed Certificate:
$ openssl x509 -req -days 30 \ -in www.virtualhost.com.csr \
-signkey www.virtualhost.com.key \ -out www.virtualhost.com.crt

This command will generate a certificate a self-signed certificate in www.virtualhost.com.crt which can be used as a temporary certificate while you are waiting for a real certificate from certificate signing authority.

You will now have a RSA Private Key in www.virtualhost.com.key and a Certificate Signing Request in www.virtualhost.com.csr. The file www.virtualhost.com.key is your secret key, and must be installed as per the instructions that come with mod_ssl. The file www.virtualhost.com.csr is your CSR, and the important bit looks something like this:

Installation

The file www.virtualhost.com.crt is your self-signed certificate. You can use it as a temporary certificate while you are waiting for a real certificate from the certificate signing authority. You install it by updating the virtual host section of your Apache configuration for www.virtualhost.com as follows:

SSLCertificateFile /path/to/your/www.virtualhost.com.crt
SSLCertificateKeyFile /path/to/your/www.virtualhost.com.key

When you receive your real certificate, you will install it in place of your self-signed certificate at
/path/to/your/www.virtualhost.com.crt

Remember to restart the web server by

$ /etc/init.d/httpd stop $ /etc/init.d/httpd start

You will need to supply the pass phrase when the web server starts up. To access your SSL web site, remember to use (note the https): https://www.virtualhost.com

If you want to avoid the passphrase prompt on start, you will need to decrypt the SSL key file with this:

$ openssl rsa -in host.key -out host.de.key

Then, remember to change the httpd.conf file to use this decrypted key (instead of the original encrypted version).

If you need help, please contact us