Ask a Question

Advanced Search

Alert ID : INFO277

Last Modified : 05/03/2018

Managed PKI for SSL - Certificate Signing Request (CSR) Generation Instructions for Redhat Secure Web Server

Description

This document provides instructions for generating a Certificate Signing Request (CSR) for Redhat Secure Web Server.  If you are unable to use these instructions for your server, Symantec recommends that you contact Redhat

NOTE: To generate a CSR, you will need to create a key pair for your server.  These two items comprise a digital certificate key pair and cannot be separated.  If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.  You will have to request a new SSL Certificate from your Managed PKI for SSL Administrator.


Step 1: Generate a Private Key


NOTE: If you're using Official Red Hat Linux Professional, you can choose whether or not to enable the password feature.  This will require you to enter the password every time you start your secure server.
Symantec recommends that you use the password feature to increase the level of security.

With Password Feature

  1. Use the cd command to move to the /etc/httpd/conf directory.
     
  2. As root, type the command: “make genkey”.
     
  3. Your key will be generated and you will be asked to enter and confirm a password. You will need to enter this password every time you start your secure Web server.
     
  4. Your key will be created and saved to a file named server.key. If you're using Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key directory.
     

Without Password Feature
 

  1. Use the cd command to move to the /etc/httpd/conf directory.
     
  2. As root, type the command all on one line:

    /usr/sbin/sslgenrsa -rand /dev/urandom -out ssl.key/server.key 2048
     
  1. Set the correct permissions on your key with the command:   

    chmod go-rwx ssl.key/server.key
     
  2. Your key will be created and saved to a file named server.key. If you're using Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key directory.

     
Step 2: Create the Certificate Signing Request
 
  1. In the /etc/httpd/conf directory, become root and type in one of the following two commands:
  • For Official Red Hat Linux Professional, type in the following command:

    make certreq
     
  • For Official Red Hat Linux Professional, International Edition, type in the following command (all on one line): 

    /usr/bin/openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr

     
  1. If you used a password when you generated your key, you will be prompted for it.
     
  2. Enter information as prompted. Your inputs will be incorporated into the CSR.
  • Country Name: The fully-qualified domain name to which your certificate will be issued.
  • State or Province: Enter the full name of your state or province.
    Note: Make sure the State or Province is not abbreviated (e.g. California).
  • Locality or City: Usually the city of your organization's main office, or a main office for your organization.
  • Organization: The full legal name of your company.
  • Organizational Unit: Use this field to differentiate between divisions within an organization.
  • Common Name: The fully-qualified domain name to which your certificate will be issued.
  1. A file named server.csr will be created.  If you're using Official Red Hat Linux Professional, server.csr will be located in the /etc/httpd/conf/ssl.csr directory.
     
  2. You have just created a key pair and a CSR.
     
  3. The server.csr file contains your certificate request.  To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
     
  4. Go to your MPKI for SSL enrollment pages (MPKI administrator will provide this URL).

Contact Information
 
         Your Managed PKI for SSL Administrator will be responsible for issuing the certificate to you after your enrollment
         has been completed. Please contact them for assistance.
 

Once the certificate has been issued, follow the steps from this link to install the certificate on your server.