A Certificate Signing Request (CSR) is an intermediate form of an SSL certificate that enables a Certificate Authority (CA) to generate a signed SSL certificate and verify the identity of a domain’s owner. This intermediate form is used to avoid exposing private RSA keys to a 3rd party which preserves the integrity of the encryption channel that SSL provides. This document will describe the commands used in the process of generating an RSA private key + CSR combination on Linux/Unix using the OpenSSL toolkit in preparation for placing an SSL certificate order.
* Log into the server and navigate to an appropriate working directory (for instance /root/ssl_certs).
* To generate a private key without a passphrase:
openssl genrsa -out domainname.key 2048
* Now you can use the private key to generate the CSR:
openssl req -sha256 -new -key domainname.key -out domainname.csr
* You will need to answer some self-explanatory questions to input information about your domain. The most important of these fields is the “Common Name” which will match exactly the domain name that may use the signed certificate (for instance, a “www.domain.com” Common Name WILL generate a warning if “domain.com” is used to browse the HTTPS site).
* Also note that “domainname.key” and “domainname.csr” should be replaced with an appropriate descriptive name for your website.
* You may want to make a safe backup copy of your private key in case it is ever lost or needs replacing.
* Make a note of the CSR and you are finished with this step.
Please note, all SSL certificate orders through Superb Internet require the submission of a 2048-bit CSR along with the order.