4.7. Generating an SSL Certificate Signing Request (CSR)
Problem
You want to obtain an SSL certificate from a trusted certifying authority (CA).
Solution
Generate a Certificate Signing Request (CSR):
Red Hat: $ make -f /usr/share/ssl/certs/Makefile filename.csr SuSE or other: $ umask 077 $ openssl req -new -out filename.csr -keyout privkey.pem
and send filename.csr to the CA.
Discussion
You can obtain a certificate for a given service from a well-known Certifying Authority, such as Verisign, Thawte, or Equifax. This is the simplest way to obtain a certificate, operationally speaking, as it will be automatically verifiable by many SSL clients. However, this approach costs money and takes time.
To obtain a certificate from a commercial CA, you create a Certificate Signing Request:
$ make -f /usr/share/ssl/certs/Makefile foo.csr
This generates a new RSA key pair in the file foo.key, and a certificate request in foo.csr. You will be prompted for a passphrase with which to encrypt the private key, which you will need to enter several times. You must remember this passphrase, or your private key is forever lost and the certificate, when you get it, will be useless.
openssl will ask you for the components of the certificate subject name:
Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's ...