Certificate Signing Request (CSR) Generation - Official Red Hat Linux Apache/SSL
The process of creating a key and a CSR is easy and should only take a few minutes.
Please note that the correct commands will depend upon whether you own the Official Red
Hat Linux Professional boxed set or the Official Red Hat Linux Professional, International
Edition, boxed set.
Generating a Key
- Use the cd command to move to the /etc/httpd/conf directory.
- As root, type in one of the following three commands to generate your key:
- If you're using Official Red Hat Linux Professional and you want to use the included
password feature, type in the following command:
Your key will be generated and you will be asked to enter and confirm a password. Your
password should be at least eight characters, should include numbers or punctuation and
should not be a word in a dictionary. Also, remember that your password is case sensitive.
Please note that you will need to remember and enter this password every time you start
your secure Web server, so don't forget it.
- If you're using Official Red Hat Linux Professional and you don't want to be required to
type in a password every time you start your secure Web server, use the following command
instead of make genkey to create your key (note that the following command should
be typed in all on one line):
/usr/sbin/sslgenrsa -rand /dev/urandom -out ssl.key/server.key 1024
Then use the following command to set the correct permissions on your key:
chmod go-rwx ssl.key/server.key
If you use the above commands to create your key, you will not need to use a password to
start your secure Web server. However, we don't recommend that you disable the password
feature for your secure Web server, since it decreases the level of security for your
- If you're using Official Red Hat Linux Professional, International Edition, type in the
following single command, all on one line:
/usr/bin/openssl genrsa -rand /dev/urandom -out /etc/httpd/conf/server.key 1024
You will not be required to enter a password if you're using Official Red Hat Linux
Professional, International Edition.
- Your key will be created and saved to a file named server.key. If you're using
Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key
directory. If you're using Official Red Hat Linux Professional, International Edition, server.key
will be located in /etc/httpd/conf.
The server.key file should be owned by root and should not be accessible to any
other user. Make a backup copy of this file and keep the backup copy in a safe, secure
place. You need the backup copy because if you lose the server.key file after
using it to create your CSR and purchase a certificate, your certificate will no longer
work and we will not be able to help you. Your only option would be to apply for a new
Generating a CSR
After you've created a key, you can create a CSR.
- In the /etc/httpd/conf directory, become root and type in one of the following
If you're using Official Red Hat Linux Professional, type in the following command:
If you're using Official Red Hat Linux Professional, International Edition, type in the
following single command (all on one line):
/usr/bin/openssl req -new -key /etc/httpd/conf/server.key -out
- You will be prompted for your password (if you used a password when you generated your
key). Type in the password, if necessary.
- You'll see some instructions and you will be prompted for responses. Your inputs will be
incorporated into the CSR. The complete display, with example responses, will look like
You are about to be asked to enter information
that will be incorporated into your certificate
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]: GB
State or Province Name : UK installations can use County name
Locality (City) Name : Your city or . if not desired
Company (Organisation) Name : Your organisation name
Department Name : Your Department name or . if not desired
Server Host Name : fully qualified domain name e.g. test.mydomain.com
Administrators E-mail address : leave this blank
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
The default answers appear in brackets  immediately after each request for
input. For example, the first information required is the name of the country where the
certificate will be used:
Country Name (2 letter code) [US]:
The default input, in brackets, is US. To accept the default, just press Enter or
fill in the correct two-letter ISO code for your country.
You will have to type in the rest of the inputs (State or Province Name, Locality
(City) Name, Company (Organisation) Name, Department Name, Server
Host Name and Administrator's e-mail address). All of these should be
self-explanatory but you need to follow these guidelines:
- For Server Host Name, make sure you type in the real name of
your secure Web server (a valid DNS name) and not any aliases which the server may have.
- Avoid any special characters like @, #, &, !, etc. Special
characters can sometimes cause problems in CSRs. So if your company name includes an
ampersand (&), spell it out as "and" instead of "&."
- You don't need to use either of the extra attributes (A challenge password and An
optional company name). To continue without entering these fields, just press Enter
to accept the blank default for both inputs.
- When you've finished entering your information, a file named server.csr will be
created. If you're using Official Red Hat Linux Professional, server.csr will be
located in the /etc/httpd/conf/ssl.csr directory. If you're using Official Red
Hat Linux Professional, International Edition, server.csr will be located in /etc/httpd/conf.
The server.csr file contains your certificate request, ready to be included in
the enrolment web form
When you insert the certificate request into the enrolment web form, be sure to get the
entire text of the certificate, including the
-----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----
lines, but don't include any leading or trailing whitespace before the beginning and
- If you need more information, see the documentation included with your boxed set.
Copyright © Trustis Limited 2010. All
This document is licensed for use only in conjunction with the use of Trustis Trust