Ask a Question

General Information ID : INFO793

Managed PKI for SSL - Certificate Signing Request (CSR) Generation Instructions for Covalent Apache ERS v 2.4 or earlier

Description

This document provides instructions for generating CSR for Covalent Apache ERS v 2.4 or earlier. If you are unable to use these instructions for your server, Symantec recommends that you contact Covalent.
 
NOTE: To generate a CSR, a key pair must be created for the server. These two items are a digital certificate key pair and cannot be separated. If the public/private key file or password is lost or changed before the SSL certificate is installed, the SSL certificate will need to be re-issued. The private key, CSR, and certificate must all match in order for the installation to be successful.
 

Step 1: Generate a Private Key

         NOTE: All certificates that will expire after October 2013 must have a minimum 2048 bit key size.

  1. Change to the /path/to/ssl1.5/bin directory.
  2. Start the Covalent SSL Certificate and Key Management Tool.
  3. For the graphical interface, execute: ./sslctl. For the text interface, execute: ./sslctl --textmode.  The main screen displays.
  4. Select Generate Certificate and Key.
  5. Enter the name of the server you want to certify.
  6. Select the size of your private key. The key bit length must be at least 2048 bits.
  7. Enter and confirm a pass phrase for your private key.
  8. Define and enter the information for your server certificate.
    NOTE: The server certificate is stored in the directory /path/to/ssl1.5/certs and is named yourserver.domain.cert 
    (for example, www.covalent.net.cert). The key is stored in the directory /path/to/ssl1.5/keys and is named
    yourserver.domain.key (for example, www.covalent.net.key).
  9. This step will create the X.509 attributes of the certificate:
  • Common Name: The fully-qualified domain name to which your certificate will be issued.
  • Organization: The full legal name of your company.
  • Organizational Unit: Use this field to differentiate between divisions within an organization.
  • City or Locality: Usually the city of your organization's main office, or a main office for your organization.
  • State or Province: Enter the full name of your state or province. 
    Note: Make sure the State or Province is not abbreviated (e.g. California).
  • Country: Enter the two-character abbreviation of country in which organization resides (e.g. US).
    Please do not enter an email address, challenge password or an optional company name when generating the CSR.
  1. Modify the Apache configuration file if necessary.

    NOTE: If you are securing the main server and using the included httpsd.conf, the file is configured correctly by default.
    No modifications are necessary. If you are securing an additional virtual host, you must include two containers for the
    secure site in the configuration file:
  • Include a virtual host for HTTP requests listening on port 80.
  • Include an SSL virtual host for HTTPS requests listening on port 443.
  • The HTTPS server must use an IP-based address and should include the SSLCertificateFile and SSLCertificateKeyFile directives.
  1. Run the server with the key and temporary server certificate.
    If your server is running, stop the server by executing:  /path/to/apache1.3/bin/covalent-faststart-ctl stop
  2. Start the server with Covalent SSL by executing: /path/to/apache1.3/bin/covalent-faststart-ctl startssl 
    During server start-up, you will be prompted to enter the pass phrase for the server certificate.
  3. Make a backup of your server certificate and private key.
 
Step 2: Generate the CSR
  1. Select Generate Certificate Signing Request from the Covalent SSL Certificate and Key Management Tool.
  2. You are prompted to select a server certificate to be signed. Select Symantec, Inc.
  3. Covalent SSL automatically generates the correct format CSR for Symantec, Inc.
  4. Enter the pass phrase you used to encrypt the key that corresponds to this server certificate.
  5. Define and enter the information for your CSR.
  6. Select a directory and filename for the generated CSR, for example /root/cert-2507. 
    Covalent SSL saves the CSR to the file you designated.
  7. Use our tool to verify your CSR
  8. Go to the enrollment page and enter the CSR in the enrollment form.