Generate a Certificate Signing Request (CSR)

Apache 2.x

Follow these instructions to generate a CSR for your Web site. When you have
completed this process, click the “close” button below to close this window
and continue to the next step. OpenSSL is the open source project that replaced
SSLeay. If you are using SSLeay on your system instead of OpenSSL, substitute
ssleay with openssl for the commands.

If you have not already set up a secure virtual host or would like
to learn more about SSL, refer to the following link for more information:

Note: The examples below use the following naming conventions:
“Your Private Key” = “domainname.key”; “Your Web Server Certificate” = “domainname.crt”

  1. Install OpenSSL, if not found on your server. (The OpenSSL version should
    match your Apache version)

  2. Create a RSA private key for your Apache server, with triple-DES encryption
    and PEM-formatted:

    openssl genrsa -des3 -out domainname.key 1024

    Warning: Backup this key and its passphrase. If you
    lose the private key or forget its passphrase, you must purchase another

  3. You could also create a private key without triple-DES encryption:

    openssl genrsa -out domainname.key 1024

    You can view the contents of the private key by using the following command:

    openssl rsa -noout -text -in domainname.key

    The private key text should begin with —–BEGIN RSA PRIVATE KEY—– and
    end with —END RSA PRIVATE KEY–.

  1. Now create a Certificate Signing Request using the RSA
    private key created above (output will be PEM format):

    openssl req -new -key domainname.key -out domainname.csr

    * Note: You will be prompted for your PEM passphrase if you included the “-des3″
    switch in step 3.

  2. When creating a CSR you must follow these conventions. Enter the information
    to be displayed in the certificate. The following characters can not be accepted:
    < > ~ ! @ # $ % ^ * / \ ( ) ?.,&

    DN Field



    Common Name The fully qualified domain name for your web
    server. This must be an exact match.
    If you intend to secure the URL,
    then your CSR’s common name must be
    Organization The exact legal name of your organization.
    Do not abbreviate your organization name.
    Organization Unit Section of the organization Marketing
    City or Locality The city where your organization is legally
    Wellesley Hills
    State or Province The state or province where your organization
    is legally located. Can not be abbreviated.
    Country The two-letter ISO abbreviation for your country. US

  3. You will be prompted for extra attributes (i.e., a challenge password and
    optional company name); we recommend you leave these attributes empty (just
    hit Enter).You can verify the contents of your CSR by using the following command:

    openssl req -noout -text -in domainname.csr

  4. Submit your CSR to GeoTrust – you will be asked to complete the agreement
    and the enrollment form as well.