Apache Mod SSL


Generating a Certificate Signing Request (CSR) Using Apache Mod SSL

Please note, as of January 2011, all CSR’s must be generated with a key length of 2048

A CSR is a file containing your certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the web form in the enrollment process.

Step 1: Generate a Key Pair

Note: A key length of 1024 bit is the default, you will need to change this to 2048 bit key.

The utility “openssl” is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to adjust these instructions appropriately.

Type the following command at the prompt for a non-encrypted key:

openssl genrsa -out www.yourdomain-example.com.key 2048

For an encrypted key use the below command:

Note: The Windows version of openssl is not compatible with password protected keys.

openssl genrsa -des3 -out www.yourdomain-example.com.key 2048

This command will generate a 2048 bit RSA private key and stores it in the file www.youdomain-example.com.key.

When prompted for a pass phrase enter a secure password and remember it, as this pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL.

Step 2: Generate the CSR

Type the following command at the prompt:

openssl req -new -key www.yourdomain-example.com.key -out www.yourdomain-example.com.csr

You will now be asked to enter details to be entered into your CSR. What you are about to enter is what is called a Distinguished Name or a DN. For some fields there will be a default value, If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Your State; do not abbreviate the state or province name
Locality Name (eg, city): Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Name
Organizational Unit Name (eg, section): IT
Common Name (eg. YOUR name): www.domain.com
Email Address: someone@somewhere.com

Please enter the following ‘extra’ attributes to be sent with your certificate request.

A challenge password:
An optional company name:

—–

Use the name of the web server as Common Name (CN). If the domain name is mydomain.com append the domain to the hostname (use the fully qualified domain name).

The fields email address, optional company name and challenge password can be left blank for a web server certificate.
Your CSR will now have been created. Open the server.csr in a text editor and copy and paste the contents into the online enrollment form when requested.

Step 3: Backup Your Private Key

No-IP recommends backing up the .key file and storing of the corresponding pass phrase. A good choice is to create a copy of this file onto a diskette or other removable media. While backing up the private key is not required, having one will be helpful in the instance of server failure.