Create a Certificate Signing Request
» Table of Contents |  | | » Index | | |
| | |
| ||
| ||
Creating a certificate signing request (generating a *.CSR file) is like an application form for a certificate. You can specify two categories of request:
Prepares a certificate file to be signed by a trusted (root) CA to authenticate your server. You are the subject of the certificate, and the CA you send it to will be the certificate issuer. For example, if you wanted to get a Thawte Server ID, you would create a certificate request and mail the contents of this generated file to Thawte. The file you generate is a *.CSR file.
To create a certificate request, perform the following steps.
Enter the information required for the certificate. You must complete all fields to create a valid certificate request. The certificate request is generated after you respond to the last question.
Encrypt Private Key
Using an encrypted private key forces the passphrase dialog when loading the private key.
NOTE: Do not use this option if you are using the mod_ssl directive SSLPassPhraseDialog with the default built-in option. Encryption Bits
The largest recommended size is 1024 bits. Encryption strength is often described in terms of the size of the keys used to perform the encryption; in general, longer keys provide stronger encryption but require more computing time. Key length is measured in bits. Private key sizes larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer.
Certificate Key File
Use OpenVMS syntax (defaults to SSL$KEY:SERVER.KEY).
Certificate Request File
Use OpenVMS syntax (defaults to SSL$CSR:SERVER.CSR).
The remaining questions determine your server's distinguished name.
Country Name
State or Province Name
City Name
Organization Name
Organization Unit Name
Common Name
Common name usage is different for client certificates than it is for server certificates. Generally, the common name on a client certificate is the proper name of the individual requesting a certificate. In the case of server certificates, the common name must be the same as your server's DNS host name (or virtual host name, if name-based virtual hosting is used). Browsers compare the common name in the server certificate with the host name of the server to which they are connecting; these names must match.
Email Address
Display the Certificate
View the details of the certificate request (if you chose to display the certificate).
Subject
Public key information
Signature algorithm
To see the encoded contents, exit the certificate tool and enter the following command to view the CSR file.
$ TYPE SSL$ROOT:[CERTS]SERVER.CSR
What you see is exactly what is required by the certificate authority. You might be required to send the file itself or just the contents of the file to your CA (according to the CA's instructions). For example:
|
|
|
If you are sending only the contents, copy and paste everything and send to the CA using secure email or the appropriate enrollment form. The CA will return a digitally signed certificate to you. For example:
|
|
|
The CA-signed certificate contains the following information:
Your organization's common name (www.your-server )
Additional identifying information (IP and physical address)
Your public key
Expiration date of the public key
Name of the CA that issued the ID
A unique serial number. (Every certificate issued by a CA has a serial number that is unique to the certificates issued by that CA.)
CA's digital signature
A signed certificate needs to be installed, along with the key you generated when creating the request, by saving or copying the respective files to their correct directories and restarting the application.
The following example shows a certificate and key copied to the directory of a web server.
$ COPY SSL$CERTS:SERVER.CRT APACHE$SPECIFIC:[CONF.SSL_CRT]
$ COPY SSL$KEY:SERVER.KEY APACHE$SPECIFIC:[CONF.SSL_KEY]