Ask a Question

General Information ID : INFO889

Certificate Signing Request (CSR) Generation Instructions - Red Hat Secure Web Server

Description

This document provides Certificate Signing Request (CSR) Generation instructions for Red Hat Secure Web server. If you are unable to use these instructions for your server, GeoTrust recommends that you contact the server vendor or the organization, which supports Red Hat Secure Web server.

GeoTrust now offers the Symantec SSL Assistant to make it easy to generate a CSR and install a certificate for Red Hat servers. As an independent subsidiary of Symantec, GeoTrust offers Symantec SSL Assistant as a benefit of our corporate relationship.

To generate a CSR, you will need to create a key pair for your server.
You will also need to create a password.  If you lose your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

Step 1: Generating the Private Key

NOTE: A key length of 1024 bit is the default, but GeoTrust recommends the use of a 2048 bit key.

  1. Use the cd command to move to the /etc/httpd/conf directory.
  2. As root, type in one of the following three commands to generate your key:
     
    1. If you're using Official Red Hat Linux Professional and you want to use the included password feature, type in the following command:
       
      make genkey

      Your key will be generated and you will be asked to enter and confirm a password. Your password should be at least eight characters, should include numbers or punctuation and should not be a word in a dictionary. Also, remember that your password is case sensitive.
      NOTE:  You will need to remember and enter this password every time you start your secure Web server, so don't forget it.
       
    2. If you're using Official Red Hat Linux Professional and you don't want to be required to type in a password every time you start your secure Web server, type the following command, all on one line,  instead of "make genkey" to create your key:
       
      /usr/sbin/sslgenrsa -rand /dev/urandom -out ssl.key/server.key 2048

      Then use the following command to set the correct permissions on your key:
       
      chmod go-rwx ssl.key/server.key

      If you use the above commands to create your key, you will not need to use a password to start your secure Web server. However, we don't recommend that you disable the password feature for your secure Web server, since it decreases the level of security for your server.
       
    3. If you're using Official Red Hat Linux Professional International Edition, type in the following single command, all on one line:
       
      /usr/bin/openssl genrsa -rand /dev/urandom -out /etc/httpd/conf/server.key 2048

      You will not be required to enter a password if you're using Official Red Hat Linux Professional International Edition.
       
  3. Your key will be created and saved to a file named server.key.

    If you're using Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key directory.
    If you're using Official Red Hat Linux Professional International Edition, server.key will be located in /etc/httpd/conf.
    The server.key file should be owned by root and should not be accessible to any other user. Make a backup copy of this file and keep the backup copy in a safe, secure place. You need the backup copy because if you lose the server.key file after using it to create your CSR and purchase a certificate, your certificate will no longer work and we will not be able to help you. Your only option would be to apply for a new certificate.
     

Step 2: Create the Certificate Signing Request

  1. In the /etc/httpd/conf directory, become root and type in one of the following two commands:
     
    1. If you're using Official Red Hat Linux Professional, type in the following command:
       
      make certreq

    2. If you're using Official Red Hat Linux Professional International Edition, type in the following single command (all on one line): 
       
      /usr/bin/openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr

  2. You will be prompted for your password (if you used a password when you generated your key). Type in the password, if necessary.
  3. You'll see some instructions and you will be prompted for responses. Your inputs will be incorporated into the CSR.
  4. When you've finished entering your information, a file named server.csr will be created. If you're using Official Red Hat Linux Professional, server.csr will be located in the /etc/httpd/conf/ssl.csr directory.
  5. You have just created a key pair and a CSR.
  6.  The server.csr file contains your certificate request. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
  7. Copy and past the CSR into the enrollment pages on the GeoTrust website
  8. Verify your CSR with the GeoTrust CSR Checker