Creating a Certificate Signing Request (CSR/PKCS#10)
Here you can find information about creating a Certificate Signing Request (CSR/PKCS#10).
Detailed descriptions for many tools can be found in Sectigo's CSR instructions . For information about OpenSSL, see Apache (OpenSSL) or Nginx (OpenSSL) .
Brief summary for Linux and similar Unix systems
Create a key using the openssl command-line tool. Mandatory fields are listed below, others can be left blank or will be filled in by Sectigo.
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
- C (Country Name) = SE
- ST (State or Province) = . Note: full stop/period
- O (Organization Name) = Kungliga Tekniska högskolan
- CN (Common Name) = server-fqdn.kth.se
Note:
- OU should be empty. (Previously, you may have used a KTH school or department.)
- ST should be empty, and "." (full stop) prevents openssl from using the default value "Some-State".
- O must be in Swedish, spelled correctly . The -utf8 command line option is necessary to spell KTH's name correctly. (Almost all modern system use locale settings with UTF-8.)
Inspect the file server.csr using
openssl req -text -in server.csr -noout
If everything seems correct, paste it into the application on Sectigo's order page.
When the certificate is approved, you will receive an e-mail with links to download the certificate.
Installing OpenSSL in Windows
- Download the latest OpenSSL for Windows from http://slproweb.com/products/Win32OpenSSL.html.
- Start installation and choose to install under C:\OpenSSL
- Choose to place settings file (openssl.cfg) under C:\OpenSSL\bin\directory, the installation will complete
Create the directory C:\ssl_certs
Put environment variables in Windows or type them in the cmd window when creating certificates
Environment variables
set opensslbin=C:\OpenSSL\bin
set RANDFILE=C:\OpenSSL\bin\.rnd
set OPENSSL_CONF=C:\OpenSSL\bin\openssl.cfg
Directory structure
C:\OpenSSL\ ← contains OpenSSL
C:\ssl_certs\ ← Directory used to create certificates.
Creating certificates in Windows
- Start a command window, go to the directory C:\ssl_certs\.
Create a private key and CSR using the command below. The server name must be FQDN. Note: do not set OU (see aboe).
%opensslbin%\openssl req -out .\servernamn_datum.csr -new -sha256 -newkey rsa:2048 -nodes -subj "/ST=Stockholm/L=Stockholm/CN=servernamn.ug.kth.se/O=Kungliga Tekniska högskolan/C=SE" -keyout .\servernamn_datum.key
- Paste the contents of the CSR file into Sectigo's portal. You can add more names (Subject Alternate Names, SAN), if you did not do so in the openssl command above.
Installation of certificate
- When the certificate has been approved, copy the PEM file to C:\ssl_certs\ and rename it to servername_date.pem
- Add the certificate chain to the certificate (for Java keystore, etc).
- Copy the PEM file to fqdn.pem.backup
- Open in Notepad++ and paste the full certificate chain (links are in the approval e-mail, use the link with the entire chain) into the PEM file, after the server's certificate
- Create a PFX file using the command below. Enter a password for the PFX file.
%opensslbin%\openssl pkcs12 -export -out servername_date.pfx -inkey servername_date.key -in servername_date.pem - Copy the PFX file to the server, and install in the personal account.