Heartbleed security vulnerability - OpenSSL 1.0.1 -> See here
Generate a CSR for Apache with OpenSSL
These instructions are suitable for any server using ApacheSSL or Apache+mod_ssl or Apache 2. On the contrary do not apply these instructions on servers with an overlayer (Cobalt, Plesk, etc.) or Tomcat Generate a CSR for Tomcat.
New: Use our command line generator
In order to gain some time, you can now generate your command line with our CSR creation assistant tool.
Just copy/paste to finalize !
To install a certificate on Apache Windows, you will need a cryptographic tool to generate the private key and the CSR. To do so, you can use 'OpenSSL':
Install OpenSSL on a Windows computer
1- Generate the private key
-
Connect under
root
and access the setup directory of your Apache server.
It is often:
cd /etc/httpd/conf or cd /etc/apache/conf
- We'll place our working files here but you can choose an other repertory.
-
Choose a file's name that fits you and generate the key with the following command:
openssl genrsa 2048 > www.example.com.key
-
If you want this key to be protected by a password (that will be requested any time you'll restart Apache), add:
"-aes256"
after "genrsa".
-
You can also enhance the quality of your key. To do so, add the instructions below after "genrsa":
"-rand/var/log/messages"
.
It enables random numbers to be used.
Make a backup copy of the .key file!
-
Protect your file with:
chmod 400 www.example.com.key
2- Create your certificate request (CSR)
-
Use this command to generate the CSR:
openssl req -new -key www.example.com.key > www.example.com.csr
-
The system will then ask you to fill in fields. To do so respect instructions of the page Obtain a server certificate
Country Name (2 letter code) []: (FR in France for example)
State or Province Name (full name) [Some-State]: (your state or province name, name of your département in France)
Locality Name (eg, city) []: (the name of your city)
Organization Name (eg, company) []: (your organization name)
Organizational Unit Name (eg, section) []: (do not fill - advised - or enter a generic term such as "IT Department".)
Common Name (eg, YOUR name) []: (the name of the website to be secured)
Email Address []: (let blank)
- Do not fill in fields such as: "A challenge password" or "An optional company name"
3- Finalize the order process
- Use the appropriate link to place your order on our website. See Access an order form
- Copy/paste the content of the www.example.com.csr file in the form.
Configuration and use options of OpenSSL
- To generate the CSR, OpenSSL reads openssl.cnf by default. But on some platform this file is not appropriate.
In that case you can download ours:- For DigiCert or Thawte server certificates: openssl-dem-server-cert-thvs.cnf
- For TBS X509 or Sectigo server certificates: openssl-dem-server-cert.cnf
- For Certigna Server Client certificates: openssl-dem-certigna-srv-cli.cnf
- For Apache under Windows, the instructions are the same. You just need to make sure you have installed Apache with OpenSSL first. Download it here. Concerning the remaining instructions, just replaceopenssl by openssl.exe
OpenSSL and SHA256
By default, OpenSSL cryptographic tools are configured to make SHA1 signatures.
for example, if you want to generate a SHA256-signed certificate request (CSR) , add in the command line: -sha256, as in:
Useful links
- Generate an ECC CSR for Apache with OpenSSL
- Generate your command line with our CSR creation assistant tool.
- Install an Apache certificate
- All you need to know about 128-bit encryption
- Configure Apache for server certificate 128-bit guaranteed
- Install OpenSSL on a Windows machine
- All about SHA1 and SHA256
- Accented domain names (FQDN / SANs)
- Generate a CSR for RGS Certificates with Openssl