Generate a CSR with OpenSSL
This article shows how to create a certificate signing request (CSR) for an SSL certificate, whether it’s a traditional SSL from an authority like Verisign, a self-signed certificate, or the ‘*’ Wildcard certificate. Most of the information is taken from RapidSSL’s support documentation.
The Rackspace Cloud is not a certificate authority (and does not resell SSL certificates), so you need to go to a third party solution,such as RapidSSL, to purchase a certificate using the CSR that you create here.
You must install OpenSSL on your server. This is a common package and is available on all of the major Linux distributions through their package installers.
To check whether it is installed on a system that uses
yum (such as CentOS or Red Hat
Enterprise Linux), run the following command.
rpm -qa | grep -i openssl
The preceding command should return the following or similar packages:
openssl-1.0.1e-48.el6_8.1.x86_64 openssl-devel-1.0.1e-48.el6_8.1.x86_64 openssl-1.0.1e-48.el6_8.1.i686
If these packages are not returned, install OpenSSL by running the following command:
yum install openssl openssl-devel
To check whether OpenSSL is installed in a Debian or Ubuntu system, run the following command:
dpkg -l |grep openssl
You should receive the following output.
ii libgnutls-openssl27:amd64 2.12.23-12ubuntu2.4 amd64 GNU TLS library - OpenSSL wrapper ii openssl 1.0.1f-1ubuntu2.16 amd64 Secure Sockets Layer toolkit - cryptographic utility
If you don’t see the expected output, install OpenSSL, run the following command:
apt-get install openssl
Generate the RSA key
Run the following commands to create a directory in which to store your RSA key, substituting a directory name of your choice:
mkdir ~/domain.com.ssl/ cd ~/domain.com.ssl/
Run the following command to generate a private key:
openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048
Create a CSR
Type the following command to create a CSR with the RSA private key (output is in PEM format):
openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr
When prompted, enter the necessary information for creating a CSR by using the conventions shown in the following table.
Note: The following characters cannot be used in the
Organization Name or the
Organizational Unit: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
|Common Name||The fully qualified domain name for your web server. This must be an exact match.||If you intend to secure the URL
|Organization Name||The exact legal name of your organization. Do not abbreviate your organization name.||domain.com|
|Organizational Unit||Section of the organization.||IT|
|City or Locality||The city where your organization is legally located.||Wellesley Hills|
|State or Province||The state or province where your organization is legally located. Do not use an abbreviation.||Massachusetts|
|Country||The two-letter ISO abbreviation for your country.||US|
Warning: Leave the challenge password blank (press Enter).
Verify your CSR
Run the following command to verify your CSR:
openssl req -noout -text -in ~/domain.com.ssl/domain.com.csr
Submit your CSR
Submit the CSR that you created to a certificate authority. We recommend Verisign, Thawte and RapidSSL, but there are other certificate authorities that you can choose to use.
Next section - Install an SSL certificate on Apache
Continue the conversation in the Rackspace Community.
©2016 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License