Generating a Certificate Signing Request (CSR) file for Amazon Web Services' (AWS) HTTPS Load Balancers requires the use of Apache's OpenSSL to do so.
Note: To check whether OpenSSL is already installed, run the command "openssl version" without the parenthesis. If OpenSSL is not installed, you must install it. For more information to install OpenSSL, see AWS's documentation for Linux distribution or contact Amazon.
Step 1: Generate the Private Key
- Using the Linux instance, run the following command to create the Private Key file.
Note: 2048 bit key lengths or higher is required.
openssl genrsa -out yourpivatekey_filename.key 2048
Note: AWS requires that the Private Key NOT be generated with a pass phrase/password to protect the file. Therefore Thawte highly recommends that the Private Key file be kept in a secure location on the server as it is the key element that decrypts the encrypted information sent from the client to the server. Not doing so could cause your SSL connections to be vulnerable if the Private Key file is compromised.
Step 2: Generate the CSR
- Run the following command to generate a CSR file based off the Private Key file that was created from Step 1 above.
Note: You will be asked for the Private Key's pass phrase created from Step 1 above when running this command.
openssl req -new -key yourprivatekey_filename.key -out yourcsr_filename.csr
- Enter the Distinguished Name (DN) Fields:
◦ Country Name: Use the two-letter code without punctuation for country. (ex. US or CA)
◦ State or Province: Spell out the state name completely. Do not abbreviate the state or province name. (ex. California)
◦ Locality or City: The Locality field is the city or town name. Do not abbreviate (ex. Saint Louis)
◦ Organization Name: If the Organization Name (Company Name) has an &, @, or any other special character, the special character must be spelled out or omitted, in order to enroll for a certificate. (ex. XY & Z Corporation would be XYZ Corporation or XY and Z Corporation)
◦ Organizational Unit: The Organizational Unit field can be used as a department name or a naming convention of your choice. To skip this field, press Enter on the keyboard.
◦ Common Name: The Common Name is the Host + Domain Name. It looks like "www.domain.com" or "domain.com". SSL certificates can only be used on web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com".
◦ Email Address: Do NOT enter an email address. Leave this field blank and press Enter on the keyboard to skip this field.
Extra Attribute Fields:
◦ Challenge password: Do NOT enter a Challenge password. Leave this field blank and press Enter on the keyboard to skip this field.
◦ An option company name: Do NOT enter an option company name. Leave this field blank and press Enter on the keyboard to skip this field.
The CSR file has now been generated. When opening the file to view and send for the enrollment of an SSL certificate, please ensure you use a plain text editor only. (ex. Notepad on Windows or Vi on Linux)