Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Heartbleed security vulnerability - OpenSSL 1.0.1 -> See here

Generate a CSR for Apache with OpenSSL

These instructions are suitable for any server using ApacheSSL or Apache+mod_ssl or Apache 2. On the contrary do not apply these instructions on servers with an overlayer (Cobalt, Plesk, etc.) or Tomcat Generate a CSR for Tomcat.

New: Use our command line generator

In order to gain some time, you can now generate your command line with our CSR creation assistant tool. Just copy/paste to finalize !

To install a certificate on Apache Windows, you will need a cryptographic tool to generate the private key and the CSR. To do so, you can use 'OpenSSL': Install OpenSSL on a Windows computer

1- Generate the private key

  • Connect under root and access the setup directory of your Apache server.
    It is often:
    			cd /etc/httpd/conf
    			or
    			cd /etc/apache/conf
    			
  • We'll place our working files here but you can choose an other repertory.
  • Choose a file's name that fits you and generate the key with the following command:
    openssl genrsa 2048 > www.example.com.key

  • If you want this key to be protected by a password (that will be requested any time you'll restart Apache), add:

    "-aes256"   after "genrsa".


  • You can also enhance the quality of your key. To do so, add the instructions below after "genrsa":

    "-rand/var/log/messages".

    It enables random numbers to be used.

Make a backup copy of the .key file!

  • Protect your file with:
    chmod 400 www.example.com.key

2- Create your certificate request (CSR)

  • Use this command to generate the CSR:
    openssl req -new -key www.example.com.key > www.example.com.csr
  • The system will then ask you to fill in fields. To do so respect instructions of the page Obtain a server certificate

    Country Name (2 letter code) []: (FR in France for example)
    State or Province Name (full name) [Some-State]: (your state or province name, name of your département in France)
    Locality Name (eg, city) []: (the name of your city)
    Organization Name (eg, company) []: (your organization name)
    Organizational Unit Name (eg, section) []: (do not fill - advised - or enter a generic term such as "IT Department".)
    Common Name (eg, YOUR name) []: (the name of the website to be secured)
    Email Address []: (let blank)

  • Do not fill in fields such as: "A challenge password" or "An optional company name"

3- Finalize the order process

  • Use the appropriate link to place your order on our website. See Access an order form
  • Copy/paste the content of the www.example.com.csr file in the form.

Configuration and use options of OpenSSL

  • To generate the CSR, OpenSSL reads openssl.cnf by default. But on some platform this file is not appropriate.

    In that case you can download ours:

  • For Apache under Windows, the instructions are the same. You just need to make sure you have installed Apache with OpenSSL first. Download it here. Concerning the remaining instructions, just replaceopenssl by openssl.exe

OpenSSL and SHA256

By default, OpenSSL cryptographic tools are configured to make SHA1 signatures.
for example, if you want to generate a SHA256-signed certificate request (CSR) , add in the command line: -sha256, as in:

openssl req -new -newkey rsa:2048 -nodes -sha256 -out www.mydomain.com.sha256.csr -keyout www.mydomain.key -subj "/C=FR/ST=Calvados/L=CAEN/O=TBS INTERNET/CN=www.moydomain.com"

Useful links