Ask a Question

Managed PKI for SSL - Certificate Signing Request (CSR) Generation Instructions for Apple Mac OS X Server 10.4

Solution


This document provides instructions how to generate a CSR for Apple Mac OS X Server 10.4. If you are not able to follow them, contact Apple.

NOTE: Using the Server Admin utility to create certificate requests for new certificates and renewals is not recommended, as it can lead to issues when installing the new SSL certificate.

Step 1. Generate the Private Key

  1. To create a CSR for the SSL certificate enrollment or renewal, the administrator (root) password will be required,
    along with access to the servers' command line - either via Terminal.app or SSH.

    NOTEFor all SSL certificates, the CSR key bit length must be 2048.
  2. Connect to your server and run the following three commands at the command line:

    cd /etc/httpd/
    sudo openssl req -new -newkey rsa:2048 -nodes -keyout ssl.key/private.key -out certreq.txt
    sudo chmod 640 ssl.key/private.key


Step 2. Generate the CSR

  1. When the second command is runned, the administrator password will be requested and a short wizard will run
    to specify the information that will appear in the SSL certificate - see below for details:
  • Country Name: The two-letter code for the country where your organization operates
  • State or Province Name: The state in which your organization operates - must not be abbreviated.
  • Locality Name: The city or suburb where your organization is located.
  • Organization Name: The full, legal entity name for your organization.
  • Organizational Unit Name: The department of your organization that will be using the SSL certificate.
  • Common Name: The website address or FQDN that will be secured by the SSL certificate.

    NOTE: Please do not enter an email address, challenge password or an optional company name when generating the CSR
     
  1. The new private key (private.key) and CSR (certreq.txt) files will be created. The third command prevents
    the private key from being world readable - the private key should be protected at all times to prevent
    compromise of the SSL certificate.
  2. Verify your CSR
  3. Proceed to the Enrollment.


Once the certificate has been issued, follow the steps from this link to install the certificate on your server: SO22022