SSL certificate and certificate signing requests have been causing me some trouble over the last few days; and as I have it all sorted, but will need to do it all again in a year's time: here's the process I used.
I'm just looking to generate a certificate for a single subdomain at a time, from the linux command line for use on a server (actually a Digital Ocean droplet), where I have root access. This means I can generate private keys locally, and not have them leave the server where they're generated and used.
For SSL you're looking to make three files:
keythat your server will use to make the https connections This should not be disclosed.
A certificate signing request
csrthat you generate from the key and send to the ssl certificate provider. This includes the public form of the private key.
crtback from the ssl certificate provider that will respond with. This is used by the server to 'prove' that the private key comes from the entity that it claims to.
First up, generate the certificate:
openssl genrsa -out my.server.com.key 2048
This will generate a
2048 bit key (you could choose
my.server.com.key. Using the domain name of the server you're generating keys for will make this easier when you come back at a later date, or when you have several CSRs that you're sending out!
I've created a private key without a password, so the server can read the key on restart without any outside interaction.
Next create the certificate signing request (CSR):
openssl req -new -key my.server.com.key -out my.server.com.csr
This gives you a new file,
my.server.com.csr that you can send to your SSL certificate provider for them to sign. Your private key that was generated before doesn't go anywhere, but the
.csr can be safely sent out.
As part of generating the CSR, you'll need to fill in your personal/company details that the certificate will be verified against. While you don't have to fill in all of these, I filled in the first 7.
Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :my.server.com Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
One of the problems I had was a continued refusal of the CSR I was generating by the SSL provider. It turns out that it was all to do with the Country Name I'd supplied. I was using
UK instead of the ISO 2-letter country code of the UK, which is
GB. Setting this to
GB sorted everything out for me.
If it all goes well, you'll have a CSR that you can send to your chosed SSL provider, and they will send a
crt certificate in response. They may require you to also include an intermediate certificate with the one you receive. This can be concatenated onto the end of the certificate so your server will only need a single file.
It's also possible to self sign a certificate for use immediately. It won't be suitable for use publicly because every visitor will get a warning that the certificate has been signed by an entity that their browser doesn't trust, but it might be useful if you want to test straight away, or you don't need to provide public access.
To generate a self-signed certificate:
openssl x509 -req -days 365 -in my.server.com.csr -signkey my.server.com.key -out my.server.com.crt