Generating CSR on Apache + OpenSSL/ModSSL/Nginx + Heroku

In order to activate your Certificate, you need a CSR code.

A CSR, or Certificate Signing Request, is a block of encoded text that you submit to a Certificate Authority when applying for an SSL Certificate.

It is typically generated on the server where the Certificate will be installed and should contain information about your website and business which will then be encoded into the Certificate.


CSR Information

Please ensure you fill out the CSR code details correctly. This should speed up the process of obtaining the SSL. Furthermore, the validation process for OV and EV SSL certificates requires that business details be entered accurately.

  • Common Name (the domain name the Certificate will be issued for)

    For example - example.com

    Note! For Wildcard certificates, the Common Name should be represented with an asterisk in front (e.g. *.example.com).

  • Country (two-letter code)

    Country (C) – the two-letter code of the country where the company or applicant is located (for example, GB for Great Britain or US for the United States; you can check your country code here.)

  • State (or province)

    State (S) – the state, county or region the company or applicant is located in (e.g. California).

  • Locality (or city)

    Locality (L) – the city where the company or applicant is located (e.g. Los Angeles). This parameter should not be abbreviated.

  • Organization (your company name. Feel free to put "NA" here for any Domain Validated certificate)

    Organization (O) – the officially registered name of the organization that is applying for a certificate (e.g. Namecheap Inc.). For Organization and Extended Validation certificates, Certificate Authorities will be verifying the submitted organization. For Domain Validation SSLs, this field is not critical and the details will not be listed on the issued certificate; however, it should at least be filled in with "NA".

  • Organizational Unit (department. Feel free to put "NA" here for any any Domain Validated certificate)

    Organization Unit (OU) – the name of the department or division within the submitted organization (e.g. SSL Support).

  • Email address (put a valid email address here)

    Email Address – an email address of the company or the applicant. This field is optional.

    Note! This email address won’t be used during the verification process, unless a mistake is found with any of the submitted details. However, this email will be considered an admin contact, unless you change it during the activation process. The SSL will be issued to the admin contact email address once it is activated.

  • Challenge Password and Optional Company Name - please do not use challenge password and leave Optional Company Name field empty too. These values are now obsolete and may cause issues with getting the SSL certificate.

Key Algorithm

Generally, OpenSSL is used for CSR generation on Linux-based web servers (Apache or Nginx) So, if the default web server is installed, there should be no issues with using OpenSSL as it is installed by default on these web servers.

Now, you need to decide which key algorithm you want to use.

RSA key algorithm is the most commonly used algorithm nowadays. Click here for details.

ECDSA key algorithm is a modern technology that is used for the creation of ECC certificates. Details are here.

SSH Setup

The CSR will be generated on the server side, so you will need to connect to it via the SSH.

SSH, also known as Secure Shell or Secure Socket Shell, is a Network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.

In order to connect to your server via SSH, you will need the IP-address, username, password and SSH client (any will do, for example: ZOC Terminal; PuTTY; OpenSSH; MobaXterm; SecureCRT) installed.

The IP-address, username, and password can be obtained from your hosting provider.



File location

We recommend creating a folder to safely store the SSL files in. This folder can also be used to run the commands to generate the CSR.

When you generate a CSR (.csr file), a Private key (.key file) will be generated at the same time. It is critical that you don’t lose the Private key as it will not be possible to get another one later. A Private key that corresponds to an SSL is necessary for installation. If you lose the Private key, you will need to generate another CSR and restart the whole process.

Please do not share your Private key with anyone. This is bad practice; it must remain private at all times. One of the key reasons is that the Certificate Authority can revoke a certificate if its private key was compromised.

You can create an SSL folder in your home directory as an alternative option. Please use the following command to do so:

mkdir ~/ssl

Then, move to that folder by running:

cd ~/ssl



RSA

The RSA algorithm is an asymmetric cryptography algorithm. This basically means that there are two keys involved while communicating, i.e., the Public key and Private key. The RSA key algorithm is the algorithm most widely used in digital security. You can refer to this article for more information.

You can run the following commands to generate the CSR. We recommend running this command in the folder where you will store the SSL files to avoid confusion later on.

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Note! To avoid confusion, we recommend replacing server.key and server.csr with the real domain name the certificate will be issued for. Those will be underlined in the commands.

For example:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain_tld.key -out yourdomain_tld.csr "

When you run the command, you will be prompted to enter the values (Common name (CN), Locality (L), State (S), Country (C), Organization (O), Organization Unit (OU), Email Address) in the terminal. You can refer to this section to find out which information should be entered.

Warning! If the command fails, please refer to this section here.

The CSR should not contain characters such as '?', '@', '#', '$', '%', '^', '&' and '*' as they will cause issues. The only non-alphanumeric character permitted is the backslash '\'.

It is possible to generate a CSR with the following command:

openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=GB/ST=Yorks/L=York/O=My Company Ltd./OU=IT/CN=example.com"

You will need to specify the details in the command itself. You can refer to this section for the details that should be included.

Additional Flags in the CSR RSA

To generate a CSR code with the Street address value included, add the 'Subject' ('-subj') tool with the corresponding data to the command as follows:

openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=GB/ST=Yorks/L=York/O=My Company Ltd./OU=IT/CN=example.com/streetAddress=Example Avenue 1"

The command with the zip code included in the address should look like this:

openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=US/ST=Example/L=Example/O=Example Inc Ltd./OU=Example/CN=example.com/streetAddress=Example 1/postalCode=123456"

It is also possible to generate a CSR for a Multi-Domain SSL certificate via one line with all SANs (Subject Alternative Names).

openssl req -new -addext "subjectAltName = DNS:additionaldomain1.com,DNS:www.additionaldomain2.com,DNS:www.additionaldomain3.com" -addext "certificatePolicies = 1.2.3.4" -newkey rsa:2048 -keyout -keyout server.key -nodes -out server.csr



ECC

The Elliptic Curve Discrete Logarithm Problem (ECDLP) needs to be solved in order to break the ECDSA key, and there has been no major progress so far to achieve this. Thus, an ECC certificate provides a better security solution and is more difficult to break using the usual hacker’s "brute force" methods.

You can run the following commands to generate a CSR. We recommend running this command in the folder where you will store the SSL files to avoid confusion in the future.

In the OpenSSL cryptographic library you can use this algorithm for CSR code generation by using the commands below:

openssl ecparam -genkey -name secp384r1 | openssl ec -out ecc.key

openssl req -new -key ecc.key -out ecc.csr

Note! You will need to run the first command before running the second one as the CSR will be based on the key that’s generated by the first command. So, you need to make sure the name of the file matches.

Warning! If the command fails, please refer to the section here.

Example:

You run:

openssl ecparam -genkey -name secp384r1 | openssl ec -out yourdomain.key

Then, the next command will be:

openssl req -new -key yourdomain.key -out ec.csr

Note! When you run the second command, you will be prompted to enter the values (Common name (CN), Locality (L), State (S), Country (C), Organization (O), Organization Unit (OU), Email Address) right away in the terminal. For more information, refer to this section about which information should be entered.

Note! The CSR should not contain characters such as '?', '@', '#', '$', '%', '^', '&' and '*' as they will cause issues. The only non-alphanumeric character that can be used is the backslash '\'.

Additional Flags in the CSR ECC

It is also possible to generate a CSR for a Multi-Domain SSL certificate via one line with all SANs (Subject Alternative Names).

The command can be modified with the -addext san extension as well as -subj to make a proper one liner:

openssl req -new -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout bare_ec.key -out bare_ec.csr -subj -addext



After the CSR is generated

Once you’ve generated your CSR you can use it to activate your SSL certificate.

To do this, you will need to copy the CSR code. Do this by running the command:

ls

You should see a list of the files present in the current folder.

Locate the file with the “.csr” extension and open it with this command:

cat filename.csr

Here, "filename" should be substituted with the name you specified in the CSR generation command.

The CSR code will begin and end with the following tags which should be copied too:

-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----



Possible Errors

When you run the previously mentioned commands, you may encounter the following error message: “OpenSSL is not recognized as an internal or external command”

This could mean that the OpenSSL library was not installed or the %PATH% specified during the installation process was not correct.

You can verify the installation of the OpenSSL library via this command:

dpkg -l 'openssl*'

You should get a response featuring “ii”. If the response does not contain “ii”, it means that there are issues with OpenSSL Libraries. If this is the case, you will need to contact your hosting provider/web-developer.

Updated
Viewed
140985 times

Need help? We're always here for you.