Packetwatch.net

Generate a CSR for Apache in Red Hat Enterprise Linux



Last modified: Jan. 23, 2014

Contents
1 - Summary
2 - Generate CSR
3 - Upload to CA
4 - Download SSL certicate
5 - Configure Apache


1 - Summary

This guide will show how to create a Certificate Signing Request (CSR) for use
by Apache in Red Hat Enterprise Linux. A CSR is needed in order to buy an SSL
certificate from a Certification Authority (CA) that sell SSL certificates.
The CSR is uploaded to the CA where the SSL certificate is being brought from
and then the CA generates the SSL certificate and then it's available for
download. This has been tested in Red Hat Enterprise Linux 6 (x86_64).


2 - Generate CSR

In our example, we will create a CSR for a wildcard SSL certificate. We will
use the test.com domain. Log in to the server and run this to create a key with
a passphrase.
# openssl genrsa -aes256 -out test.com.key 4096
Generating RSA private key, 4096 bit long modulus
................................................................................++
...............................................................++
e is 65537 (0x10001)
Enter pass phrase for test.com.key:
Verifying - Enter pass phrase for test.com.key:
# ls -1 test*
test.com.key

Strip out the passphrase for Apache.
# openssl rsa -in test.com.key -out test.com.key.alt
Enter pass phrase for test.key:
writing RSA key
# ls -1 test*
test.com.key
test.com.key.alt

Pass in the key and generate a CSR request. Hit Enter when asked about the
extra attributes. One thing to note is that in this case we are generating
a CSR for a wildcard domain, so we put the Comman Name as *.test.com. If we
would be generating a CSR for single website, we would put the Common Name
as www.test.com or whatever that single website address is.
# openssl req -new -key test.com.key.alt -out test.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:********
Locality Name (eg, city) [Default City]:********
Organization Name (eg, company) [Default Company Ltd]:Test
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:*.test.com
Email Address []:certificates@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ls -1 test*
test.com.csr
test.com.key
test.com.key.alt


3 - Upload to CA

Upload the test.com.csr file to the Certification Authority (CA).


4 - Download SSL certificate

The CA will contact you when the SSL certificate has finished being generated.
Download the SSL certificate from the CA and make sure to specify that it's for
Apache.


5 - Configure Apache

Copy the files to the server.
# sudo mkdir -p /etc/httpd/ssl/test
[sudo] password for testuser:
# sudo cp test.* /etc/httpd/ssl/test/
[sudo] password for testuser:
# sudo chown root:root /etc/httpd/ssl/test/test.*
[sudo] password for testuser:
# sudo chmod 644 /etc/httpd/ssl/test/test.*
[sudo] password for testuser:
# ls -1 /etc/httpd/ssl/test/
test.com.crt
test.com.csr
test.com.key
test.com.key.alt
gd_bundle-g2-g1.crt

The following lines will needed in the configuration file for Apache. This
could either be in httpd.conf or ssl.conf.
  SSLCertificateFile /etc/httpd/ssl/test/test.com.crt
  SSLCertificateKeyFile /etc/httpd/ssl/test/test.com.key.alt
  SSLCertificateChainFile /etc/httpd/ssl/test/gd_bundle-g2-g1.crt

Apache will need to be restarted due to the SSL certificate.
# sudo service httpd restart
[sudo] password for testuser:


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2017.