Generate private key and CSR for RedHat Linux
To generate a CSR for Redhat Linux, perform the following steps:
To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file (key pair) and generate a new one, your SSL Certificate will no longer match. You will have to request a new SSL Certificate and may be charged.
You will also need to create a password. If you lose your password and generate a new one, your SSL Certificate will no longer match. You will have to request a new SSL Certificate and may be charged.
Thawte recommends that you contact the Redhat SWS vendor for additional information.
Step 1: Generating the Private Key
1. Use the cd command to move to the /etc/httpd/conf directory.
2. As root, type in one of the following three commands to generate your key:
A. If you're using Official Red Hat Linux Professional and you want to use the included password feature, type in the following command:
Your key will be generated and you will be asked to enter and confirm a password. Your password should be at least eight characters, should include numbers or punctuation and should not be a word in a dictionary. Also, remember that your password is case sensitive.
Please note that you will need to remember and enter this password every time you start your secure Web server, so don't forget it.
B. If you're using Official Red Hat Linux Professional and you don't want to be required to type in a password every time you start your secure Web server, type the following command, all on one line, instead of "make genkey" to create your key:
/usr/sbin/sslgenrsa -rand /dev/urandom -out ssl.key/server.key 2048
Then use the following command to set the correct permissions on your key:
chmod go-rwx ssl.key/server.key
If you use the above commands to create your key, you will not need to use a password to start your secure Web server. However, we don't recommend that you disable the password feature for your secure Web server, since it decreases the level of security for your server.
C. If you're using Official Red Hat Linux Professional International Edition, type in the following single command, all on one line:
/usr/bin/openssl genrsa -rand /dev/urandom -out /etc/httpd/conf/server.key 2048
You will not be required to enter a password if you're using Official Red Hat Linux Professional International Edition.
3. Your key will be created and saved to a file named server.key.
If you're using Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key directory.
If you're using Official Red Hat Linux Professional International Edition, server.key will be located in /etc/httpd/conf.
The server.key file should be owned by root and should not be accessible to any other user. Make a backup copy of this file and keep the backup copy in a safe, secure place. You need the backup copy because if you lose the server.key file after using it to create your CSR and purchase a certificate, your certificate will no longer work and we will not be able to help you. Your only option would be to apply for a new certificate.
Step 2: Create the Certificate Signing Request
1. In the /etc/httpd/conf directory, become root and type in one of the following two commands:
A. If you're using Official Red Hat Linux Professional, type in the following command:
B. If you're using Official Red Hat Linux Professional International Edition, type in the following single command (all on one line):
/usr/bin/openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr
2. You will be prompted for your password (if you used a password when you generated your key). Type in the password, if necessary.
3. You'll see some instructions and you will be prompted for responses for the following X.509 attributes of the certificate (Your inputs will be incorporated into the CSR):
Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: California
Locality or City: The Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis
Company: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on your keyboard.
Common Name: The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".
Note: Please do not enter an email address, challenge password or an optional company name when generating the CSR.
Note: Thawte certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
4. When you've finished entering your information, a file named server.csr will be created. If you're using Official Red Hat Linux Professional, server.csr will be located in the /etc/httpd/conf/ssl.csr directory.
5. You have just created a key pair and a CSR.
6. Verify your CSR
7. The server.csr file contains your certificate request. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
8. Go to Enrollment.
During the verification process, Thawte may need to contact your organization. Be sure to provide an email address, phone number, and fax number that will be checked and responded to quickly. These fields are not part of the certificate.