Ask a Question

Solution ID : SO2632

Last Modified : 05/02/2018

Generate a CSR for Raven SSL CTL Interface

Problem

Generate a private key
Generate a CSR

Solution

The RavenCTL Management Interface

The following procedure shows the process required to generate a key file and CSR (certificate signing request) for your SSL server.


 

Generate the Private Key

Name of the file to store certificate/key?
[server.domain.com] --> www.domain.com

 

At the prompt above, enter the name of the file that you wish to store the certificate and key file inThis is typically the Common Name of the server or the Apache configured ServerName.

The key file name you have chosen is www.domain.com.key.
The certificate file name will be www.domain.com.cert.
Press [ENTER] to continue:

 

The prompt above indicates the file names in which you have chosen to store this certificate and key. These file names will be stored in /usr/local/raven/module/pki/keys and /usr/local/raven/module/pki/certs respectively.

Choose the size of your key. Smaller key sizes provide faster server response but will provide diminished security.

Note: In the interest of better security and the enablement of greater trust, Thawte requires a minimum 2048 bit length.

Number of bits in key (512 minimum, 1024 maximum)? [1024] --> 2048
 

 

Deciding how strong the key pair should be

At the prompt above, enter the number of bits that you want your key file to contain. More bits means that the key will be harder to crack but there will be more server overhead required to encrypt the data. Fewer bits means less overhead for the server to encrypt the data, but makes the key easier to crack. Enter values divisable by 128. ie (2048).

Generating random data, using the truerand library developed by Matt Blaze, Jim Reeds, and Jack Lacy at AT&T. This may take some time.
Generating 2048 bits of randomness: ...............................
Generating 2048 random bits based on measuring the time interval between your keystrokes.  Please enter random text on your keyboard.
2048 <- remaining


The key generation process provides an internal random entropy generator. The process will create twice the number of random bits that you have chosen for you key size. After the internal random data generator completes it's process, you will be prompted to enter key strokes to create yet another random entropy pool. This process helps assure that your key is difficult to predict and thereby crack.

Generating the key. This will take some time. Be patient. The passphrase you enter here is very important. Do not lose it.

192 semi-random bytes loaded
Generating RSA private key, 512 bit long modulus
..........+++++
...+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Entering a Passphrase for the encryption of the private key


After the key is created, you will be prompted to enter a pass phrase to use to encrypt your key as it is stored on disk. It is not necessary to keep keys encrypted on disk and this adds to difficulty in automating the startup process for the server since an encrypted key will require you to enter a pass phrase during the server startup phase.

You should make note of the passphrase at this point. If you forget it you will not be able to access your private key and the certificate that corresponds to that private key will be effectively useless and you will have to buy a new one.

 
 

Backing up the Private Key

You should also make a backup of your private key as well. If you lose your private key you will not be able to use your certificate and you will have to buy a new one. Read our tough Key Loss Policy.

Note: Backup your Private Key


 

Generate the CSR and temporary self-signed certificate

Self-signing certificate for temporary internal use.

Using configuration from /usr/local/raven/module/pki/lib/certtool.conf

Enter PEM pass phrase:

Enter the pass phrase that you have chosen for this certificate in the generation process above.

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [US]: US
State or Province Name (full name) [Some-State]: California  - Enter the State or Province for the company being represented by this certificate.
Locality Name (eg, city) [Some-City]: Mountain View Enter the City for the company being represented by this certificate.
Organization Name (eg, company) [Some-Company/Organization]: Thawte Enter the Company Name being represented by this certificate.
Organizational Unit Name (eg, section) [Secure Services Division]: IT Enter the division of the company being represented by this certificate.
Common Name (eg, server name) [www.servername.com]: www.domain.com Enter the Apache ServerName being represented by this certificate.
Email Address [webmaster@servername.com]: [leave it blank]

Enter the email contact for the person representing this company. [leave it blank]
Key and certificate have been successfully installed.
Thanks for choosing Raven. Press [ENTER] to continue:

 

You will then submit your CSR to the Thawte Online form.