 |
|
Managed PKI for SSL Support
|
CSR Generation for Redhat Secure Web Server
To generate a CSR, you need to create a key
pair for your server. These two items comprise a digital certificate
key pair and cannot be separated. If you lose your public/private key
file or your password and generate a new one, your SSL Certificate will
no longer match. You will have to request a new SSL Certificate from
your Managed PKI for SSL Administrator.
VeriSign recommends that you contact the Redhat
Secure Web Server vendor for additional information.
Step 1: Generate a Private Key
If you are using Official Red Hat Linux Professional,
you can choose whether or not to enable the password feature. This will
require you to enter the password every time you start your secure server.
VeriSign recommends that you use the password feature to increase the
level of security.
With Password Feature
- Use the
cd command to move to the /etc/httpd/conf directory.
- As root,
type the command: ‘make genkey’
- Your
key will be generated and you will be asked to enter and confirm a password.
You will need to enter this password every time you start your secure
Web server.
- Your
key will be created and saved to a file named server.key. If you are
using Official Red Hat Linux Professional, server.key will be located
in the /etc/httpd/conf/ssl.key directory.
Without Password Feature
- Use the
cd command to move to the /etc/httpd/conf directory.
- As root,
type the command all on one line:
- ‘/usr/sbin/sslgenrsa
-rand /dev/urandom -out ssl.key/server.key 1024’
- Set the
correct permissions on your key with the command:
‘chmod go-rwx ssl.key/server.key’
- Your
key will be created and saved to a file named server.key. If you are
using Official Red Hat Linux Professional, server.key will be located
in the /etc/httpd/conf/ssl.key directory.
Step 2: Create the Certificate Signing Request
- In the /etc/httpd/conf
directory, become root and type in one of the following two commands:
- For Official Red
Hat Linux Professional, type in the following command:
‘make certreq’
- For Official Red
Hat Linux Professional, International Edition, type in the following
command (all on one line):
‘/usr/bin/openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr’
- If you used
a password when generating your key, you will be prompted for it.
- Enter information
as prompted. Your inputs will be incorporated into the CSR.
- A file named
server.csr will be created. If you are using Official Red Hat Linux
Professional, server.csr will be located in the /etc/httpd/conf/ssl.csr
directory.
- You have just
created a key pair and a CSR.
- The server.csr
file contains your certificate request. To copy and paste the information
into the enrolment form, open the file in a text editor that does not
add extra characters (Notepad or Vi are recommended).
- Go to your MPKI
for SSL enrolment pages. (Your administrator will provide you with this
URL.)
Terms Defined
Common Name
The Common Name is the Host + Domain Name.
It looks like "www.company.co.uk" or "company.co.uk".
VeriSign certificates can only be used on Web
servers using the Common Name specified during enrolment. For example,
a certificate for the domain "domain.co.uk" will receive a
warning if accessing a site named "www.domain.co.uk" or "secure.domain.co.uk",
because "www.domain.co.uk" and "secure.domain.co.uk"
are different from "domain.co.uk".
Organisation Information
- If your company
or department has an &, @, or any other symbol using the shift key
in its name, you must spell out the symbol or omit it to enrol.
- The “Org Unit” field
is the name of the department or organisation unit making the request.
- The Locality field
is the city or town name, for example: Guildford.
- Do not abbreviate
the county name, for example: Surrey.
- Use the two-letter
code without punctuation for country, for example: GB.
Contact Information
Your Managed PKI for SSL Administrator will
be responsible for issuing the certificate to you after your enrolment
has been completed. Please contact them for assistance.
|
|
|
