Generating a Certificate Signing Request for Apache entry

Original author: Beth Mercer - 2007/04/12

Apache/SSL installation

For a general overviews of installation see also:

• ​ Apache SSL Installation
• ​ Apache SSL Certificate Installation

Create a RSA private key and certificate request for your Apache server

1. Change to the target certification location

       $ cd [some private directory with strict permissions]
   

2. Generate a private key, place it in PEM-format file sec-server.key which is encrypted and password-protected by a passphrase for which you will be prompted.

       $ /usr/local/ssl/bin/openssl genrsa -des3 -out sec-server.key 1024
   

3. Decrypt the contents of sec-server.key into server.key

      $ /usr/local/ssl/bin/openssl rsa -in sec-server.key -out server.key
   

4. Create Certificate Signing Request using decrypted private key.

      $ /usr/local/ssl/bin/openssl req -new -key server.key -out server.csr
      $ mailx -s "Certificate Signing Request" sxccc@alaska.edu < server.csr
   

5. As root (sudo or su)

      $ su
      $ chown root:root server.key sec-server.key
      $ chmod 0400 server.key sec-server.key server.csr
      $ cp -p server.key [installed apache dir]/conf/ssl.key
      $ cp -p server.csr [installed apache dir]/conf/ssl.csr
   

   • In Solaris 10, the directory structure is somewhat different:

         $ mkdir ssl.crt
         $ cp -p server.key /etc/
     

Install the Certificate

After your certificate request is signed and a signed server

certificate is returned, put the signed server certificate in server.crt.

    $ chmod 0400 server.crt
    $ cp -p server.crt [installed apache dir]/conf/ssl.crt

In the example below, the private key had already been generated for the edirtest and edirprep entries, so I skipped the two commands "openssl genrsa..." and "openssl rsa...". An old certificate exists, but the previous CSR has been lost and thus I can not just RENEW the exiting certificate. I need to generate a new HCF certificate, so I needed to submit a new CSR.

eklutna.root> pwd
/usr/local/Apache/ssl-certs

eklutna.root> ls -l edir+(prep|test)*
-r--------   1 root     other       2948 Nov 22  2005 edirprep.crt
-r--------   1 root     other        891 Nov 22  2005 edirprep_private.key
-r--------   1 root     other       2948 Nov 22  2005 edirtest.crt
-r--------   1 root     other        887 Nov 22  2005 edirtest_private.key

eklutna.root> which openssl
/usr/local/bin/openssl

eklutna.root> openssl req -new -key edirprep_private.key -out edirprep.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Alaska
Locality Name (eg, city) []:Fairbanks
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Alaska
Organizational Unit Name (eg, section) []:Office of Information Technology
Common Name (eg, YOUR name) []:edirprep.alaska.edu
Email Address []:sdts@email.alaska.edu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

eklutna.root> ls -altr|tail
-r--------   1 root     other       1117 Dec 29 11:53 edgar_private.pem
-r--------   1 root     other        887 Dec 29 11:55 edgar_private.key
-r--------   1 root     other       1387 Feb  5 15:51 edir_2007.crt
-r--------   1 root     other       1387 Feb  5 15:51 edir.crt
-r--------   1 root     other        948 Feb 19 11:33 egegik.crt
-r--------   1 root     other        944 Feb 19 11:35 eklutna.crt
-r--------   1 root     other        948 Feb 19 11:53 edgar.crt
-r-x------   1 root     other         42 Apr  6 16:13 .check-for-CNTL-M.ksh
-rw-r--r--   1 root     other        773 Apr 12 10:36 edirprep.csr
dr--------   2 root     other       1536 Apr 12 10:36 .

eklutna.root> cat edirprep.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICATCCAWoCAQAwgcAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQ
BgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2Ex
KTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRwwGgYD
VQQDExNlZGlycHJlcC5hbGFza2EuZWR1MSQwIgYJKoZIhvcNAQkBFhVzZHRzQGVt
YWlsLmFsYXNrYS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4LW2ki
FlIQiAmOFK3H6la8KiJguI7lwA83dqOCrcDnM50bCBNuVnmNm12y/9C3mzjw8jq+
P68CDA5S3f2DpH0RgoWgvWGqORItQ/qzw4qSxHCRbrH37F0yUoba5dQyFx0NN2gT
vGtb/IJwM46GYqPpM/TrwEHER/hdwSelT8ZZAgMBAAGgADANBgkqhkiG9w0BAQQF
AAOBgQAcqdVz9r3Ot+mlodIfmUAI5ztG625MwlldivzCPDhwIyOwRPLcv16/mhMU
M50EOHZ1VNM1cMzTWxaGonLrTXuHWC2KawX9cNHNgL1SyGNBieKzGug+z/43OlDM
BE51zB7Jsgb4kjfMlkffDkOXrXWXJkhZUW87AEZeJ+F0VeGfig==
-----END CERTIFICATE REQUEST-----

eklutna.root> openssl req -new -key edirtest_private.key -out edirtest.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Alaska
Locality Name (eg, city) []:Fairbanks
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Alaska
Organizational Unit Name (eg, section) []:Office of Information Technology
Common Name (eg, YOUR name) []:edirtest.alaska.edu
Email Address []:sdts@email.alaska.edu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

eklutna.root> ls -altr|tail                                                
-r--------   1 root     other        887 Dec 29 11:55 edgar_private.key
-r--------   1 root     other       1387 Feb  5 15:51 edir_2007.crt
-r--------   1 root     other       1387 Feb  5 15:51 edir.crt
-r--------   1 root     other        948 Feb 19 11:33 egegik.crt
-r--------   1 root     other        944 Feb 19 11:35 eklutna.crt
-r--------   1 root     other        948 Feb 19 11:53 edgar.crt
-r-x------   1 root     other         42 Apr  6 16:13 .check-for-CNTL-M.ksh
-rw-r--r--   1 root     other        773 Apr 12 10:36 edirprep.csr
-rw-r--r--   1 root     other        773 Apr 12 10:40 edirtest.csr
dr--------   2 root     other       1536 Apr 12 10:40 .

eklutna.root> cat edirtest.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICATCCAWoCAQAwgcAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQ
BgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2Ex
KTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRwwGgYD
VQQDExNlZGlydGVzdC5hbGFza2EuZWR1MSQwIgYJKoZIhvcNAQkBFhVzZHRzQGVt
YWlsLmFsYXNrYS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN9YfD3x
C5D5VxY+q9TlgWec7+OtON7FxuAc8C8tRidvFHf0SrW724GXy7xcIlmQrZPXccUr
uCMTSixAjmbOAOWkyHQiAC7p7azWgkmhCZa5W2sXx0pelxfkRE4psvVyUEPgvk43
1DVERKeRysuBH/hL7Yz0Owd2T0+ZN6XecmwbAgMBAAGgADANBgkqhkiG9w0BAQQF
AAOBgQCagGaZoIWu5EO4BkqGytWTUTjrC6C2TzZEBXWFOeWRte4vFuPM9ORe0Uic
6UIQSWD6ftJ7Q0IFj2evdNp8SOClMcPuJwkxHvxyFRTKczBBKipUc5v8YfUqE3fA
2RFmTy4DcaFpMHlw1AREBS6wTVZuAArtv9xzndjREAEqQPqLZg==
-----END CERTIFICATE REQUEST-----

eklutna.root> ls -l edir+(prep|test)*
-r--------   1 root     other       2948 Nov 22  2005 edirprep.crt
-rw-r--r--   1 root     other        773 Apr 12 10:36 edirprep.csr
-r--------   1 root     other        891 Nov 22  2005 edirprep_private.key
-r--------   1 root     other       2948 Nov 22  2005 edirtest.crt
-rw-r--r--   1 root     other        773 Apr 12 10:40 edirtest.csr
-r--------   1 root     other        887 Nov 22  2005 edirtest_private.key

eklutna.root>