1) Check to see if OpenSSL already installed on your server and install if it is not.
Type the following on systems that use yum such as CentOS
rpm -qa | grep -i openssl
It should return something similiar to the following
openssl-1.0.1e-48.el6_8.1.x86_64
openssl-devel-1.0.1e-48.el6_8.1.x86_64
openssl-1.0.1e-48.el6_8.1.i686
If those package are not returned, you may install OpenSSL with the following command
yum install openssl openssl-devel
Type the following on debian-based systems such as Debian or Ubuntu
dpkg -l |grep openssl
It should return something similiar to the following
ii libgnutls-openssl27:amd64 2.12.23-12ubuntu2.4 amd64 GNU TLS library - OpenSSL wrapper
ii openssl 1.0.1f-1ubuntu2.16 amd64 Secure Sockets Layer toolkit - cryptographic utility
If those package are not returned, you may install OpenSSL with the following command
apt-get install openssl
2) Generate the RSA key (Private Key)
Create a directory to store the key. Use any directory name you see fit.
mkdir ~/ssldir/
cd ~/ssldir/
Type the following to generate a private key. Substitute domain.com with your domain name.
openssl genrsa -out ~/ssldir/domain.com.key 2048
3) Create the CSR (Certificate Signing Request)
Type the following to generate a CSR. Replace domain.com with your domain name.
openssl req -new -sha256 -key ~/ssldir/domain.com.key -out ~/ssldir/domain.com.csr
You will prompted to enter information required for the CSR.
NOTE: The following characters cannot be used in the Organization name ot Organizational Unit: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
DN field | Explanation | Example |
Common Name | The fully qualified domain name for your web server. This must be an exact match. | If you intend to secure the URL https://www.yourdomain.com , then your CSR’s common name must be www.yourdomain.com . Most issued certificates will also include yourdomain.com automatically (https://yourdomain.com) but you should check with your certificate provider to be certain. Wildcard certificates are prefixed with an asterisk: *.domain.com. |
Organization Name | The exact legal name of your organization. Do not abbreviate your organization name. | CeraNet Inc |
Organizational Unit | Section of the organization. | Internet Security |
City or Locality | The city where your organization is legally located. | Columbus |
State or Province | The state or province where your organization is legally located. Do not use an abbreviation. | Ohio |
Country | The two-letter ISO abbreviation for your country. | US |
Leave the challenge password blank (press enter).
4) Verify the CSR
Type the following to verify the CSR.
openssl req -noout -text -in ~/ssldir/domain.com.csr
5) Submit the CSR.
Submit the CSR to a certificate authority (RapidSSL, GeoTrust, Sectigo, etc) to have an SSL certificate issued to you.
You do not submit the private key. Rather, retain the private key which you will use to install your issued SSL certificate once received from the certificate authority.
NOTE: If you purchase an SSL certificate from CeraNet you may use our tools for CSR/Private key generation as previously mentioned in this article. Alternatively, you can purchase a certificate from CeraNet, generate your own CSR as outlined in this article and submit that CSR to CeraNet (via our portal) for certificate issuance.