Generate a Certificate Signing Request (CSR)
If you want to provide secure communications between your webserver and the clients that visit your website, you’re going to need an SSL certificate (SSLCert) signed by a well-known Certificate Authority (CA).
I’m just gonna outline the process of generating one.
Prerequisites:
- OpenSSL
- Domain Name
- Entity information (Name, Address, Etc..)
Steps
Create a CSR in 3 easy steps
- Use this command to create your working directory, and change to it so you’ve got everything in one place. You can change my_certs to anything you want.
mkdir my_certs && cd my_certs
- Use this command to generate an encrypted private key. If you enter a pass-phrase here, you’ll need to use it any time you start-up your web-server. You should enter a pass-phrase here. We can remove it later. If you lose or forget the pass-phrase, you’re gonna have to do all this over again… And you might have to purchase another certificate from your provider.
openssl genrsa -des3 -out toddsmith.org.key 1024
- Next use this command to create a CSR from the RSA private key. You cannot use any special characters (< > ~ ! @ # $ % ^ * / \ ( ) ?.,&). You’ll need the following information:
- Common Name: This is the full name of your website. For example: www.toddsmith.org
- Organization: Your name or the legal name of your company.
- Organization Unit: The department you work in or this server provides service for: For example: IT Services
- City: The City you or your organization is in.
- State: The State you or your organization is in.
- Country: The 2 letter abbreviation of your country
openssl req -new -key toddsmith.org.key -out toddsmith.org.csr
Remove Encryption from Private Key
Use the following steps to remove encryption from the private key for use with dovecot, sendmail or to remove the start-up pass phrase dialog from apache, etc…
- Make a backup of the key file
cp toddsmith.org.key toddsmith.org.key.encrypted
- Make a backup of the key file
openssl rsa -in toddsmith.org.key.encrypted -out toddsmith.org.key
The -out file toddsmith.org.key is now your unencrypted private key. Lose it, and anyone can use it now.
Use certificate for Microsoft Internet
Now you’ve received your certificate from your provider and you want to use it for Internet
To use the certificate you just created for Internet Explorer, you have to convert it to the PFX format. It’s currently in PEM format.
- To create a PFX formatted certificate/key combination. The following command is one line.
openssl pkcs12 -export -out toddsmith.org.pfx -inkey \ toddsmith.org.key -in toddsmith.org.crt
Convert key and certificate to use with Sendmail, Dovecot, or others
To do this, you’ll need the certificate issued from your Certificate Authority, and your unencrypted key file. If your key is still encrypted, use the process above to remove the encryption from the key.
All set? Okay let’s do it.
- Run the following command to combine the key and certificate for use with Sendmail, Dovecot, uw-imap, and many others
cat toddsmith.org.key toddsmith.org.crt > toddsmith.org.pem
All done, now you can use it with your favorite MTA, or Email software.