转：How to generate Certificate Signing Request (CSR) file with Apache OpenSSL

qq78707

How to generate Certificate Signing Request (CSR) file with Apache OpenSSL
                  
　　When it comes to use SSL over apache, OpenSSL is there for us to do everything we want. XAMPP and WAMP  both comes with OpenSSL compiled version of Apache, so it becomes quite  handy to use it. But how to get SSL certificate for your website?For  getting SSL certificate you need to ask your hosting company if you are  running on shared server and don't have access to apache installation  directory and config files. Most of the hosting companies will do this  for you with some amount of fee. Fee/cost depends on the kind of  certificate you are requesting and for the period of time. For example  www.domain.com certificates will be quite cheaper then *.domain.com.
　　Now if you are running and managing your own webserver and you have  to get certificate(s) for your company/client or your own website then  first requirement is to generate "Certificate Signing Request" - CSR  file, which you need to send to Certificate Authority to sign and give  back to you as CRT file. This tutorial is not meant for Apache expert  but for those who have not much experience SSL and Apache stuff.
　　Generation of CSR files with Apache on OpenSSL is quite simple and it  is matter of typing few commands and we are done. You need to follow  similar commands on OpenSSL prompt whether you are running Apache over  Windows or Linux. Here is the routine which we need to follow to get our  .CSR file ready.
　　If you have your Apache setup ready with OpenSSL then goto BIN  directory under your Apache's installation directory. If you are on  Windows machine then it could be under D:Program FilesApachebin and if  it is Linux you know better where to find it. Open Command Prompt and  goto Apache's BIN directory and then type "openssl" over there. You will  get OpenSSL prompt immediately. You may need not to goto Apache/Bin  directory if that path is set in your system variables, you can just  type openssl and you will get the prompt like below.

Now, first of all we need to generate RSA Private key for our server.  This key will be Triple-DES encrypted and PEM formatted.  Type in  following command to get encrypted private key on OpenSSL prompt.
OpenSSL genrsa -des3 -out digitss.key 1024　　You can keep it my_server.key or something like that. Once you type  in above command it will ask for pass-phrase, please keep a note of that  pass-phrase at some secure place. Also, take backup of your private key  file at some secure place. Here is the screen-shot(s) visualizing above  command over windows command-line.

If you will try to see contents of that file it would look something similar to what I have got here.

To see something which is more readable type in following line and it will ask you pass-phrase which you previously specified.
OpenSSL rsa -noout -text -in digitss.key
Enter pass phrase for digitss.key:
Private-Key: (1024 bit)
modulus:
00:c6:54:39:f5:c5:ae:5a:ef:f5:53:9c:13:c9:86:
27:c5:19:9f:25:ab:a5:96:5a:2e:f3:c0:5b:b0:c5:
02:a6:e0:53:a8:fa:34:e1:8f:55:b4:ee:57:e3:54:
65:70:6a:f0:0c:4d:b1:ed:9f:31:38:51:3c:e1:99:
fe:82:6c:0d:3d:a5:d3:6e:01:8c:89:cc:f1:97:c0:
95:0e:80:1a:c7:0a:ac:56:15:27:cd:08:32:e0:2c:
39:00:77:2f:d1:83:4f:2e:ff:ea:50:fb:26:6c:fd:
dd:ea:38:3b:ec:c0:f7:d3:c6:c2:23:20:12:40:bf:
1b:94:59:d8:d6:34:8d:7c:dd
publicExponent: 65537 (0x10001)
privateExponent:
23:5b:b8:c9:9c:68:ad:45:c2:93:19:6c:5d:ad:51:
31:ce:83:95:0f:b9:01:c9:2a:3d:c2:b9:96:16:49:
96:be:bf:ab:8c:90:08:f6:a8:ed:0c:e1:16:62:61:
83:5d:4d:56:a4:33:68:8d:cd:14:a1:47:1d:61:7b:
02:7d:89:0e:77:f9:0b:b9:89:02:a5:e1:0a:ba:66:
f2:25:dc:06:7e:74:b2:c7:6a:be:1a:e1:6f:fb:b7:
e2:2d:b5:f2:ca:a8:ec:27:9e:81:25:7e:8a:2d:6c:
94:6f:f5:ca:f3:4e:bc:3d:1e:e9:5d:74:47:59:8c:
f7:29:d8:8e:9c:d2:e0:01
prime1:
00:f4:85:25:2e:6c:02:79:02:58:c9:ec:29:a8:11:
33:9e:db:bf:84:0a:a2:87:f9:2b:82:f5:a0:04:59:
69:bb:f7:d3:6a:d8:ee:6d:74:0e:bb:62:01:8e:bf:
5f:85:d8:3d:de:e9:12:86:c9:20:de:7c:cf:4c:f2:
6a:1b:40:e2:01
prime2:
00:cf:a3:ea:a4:39:10:6c:4e:3c:58:b1:8e:f0:17:
33:ea:1f:9d:0c:be:0a:bd:3b:d5:80:76:70:e3:e4:
54:4f:1a:8f:8a:ab:00:d5:64:e6:8a:e7:24:12:2b:
3e:97:b9:24:96:b5:f4:31:eb:ae:6d:fa:83:b2:32:
92:8b:06:62:dd
exponent1:
00:b4:40:d2:bf:fd:ef:74:b5:3e:2e:dc:61:78:fc:
34:77:9f:16:f7:87:bf:78:ed:3e:1e:34:63:d9:d0:
f0:19:19:00:49:6b:d1:97:ee:4e:4d:e4:59:b1:99:
72:19:80:e7:5b:44:05:dc:46:b8:6c:4b:25:a6:5b:
ad:cc:99:70:01
exponent2:
00:b8:a7:83:41:ec:65:88:8b:c2:ea:f5:6c:b2:63:
33:98:9f:e8:a0:ae:59:0a:94:ad:78:02:dc:be:2e:
3e:34:12:e0:d8:66:de:e4:e7:48:86:fa:ab:7f:64:
e9:d3:30:19:33:d6:38:86:34:9b:f8:be:32:64:44:
c9:41:cd:ba:19
coefficient:
7c:9a:fa:80:72:8a:74:11:7b:f0:32:d0:e4:b3:44:
cd:d4:2c:4e:6b:37:38:68:9a:6e:cd:ae:f0:9f:54:
31:a5:f6:f7:c8:16:f3:1a:4a:5c:d3:6b:60:a1:7d:
f5:a2:6c:b2:ab:12:1d:1c:5c:dd:63:57:d5:c0:be:
a3:d1:37:67
OpenSSL　　Although it is hardly readable but makes more sense then previous screenshot.
　　Later on we need to specify path of this file in our httpd-ssl.conf  when we get CRT file signed by Authority and we are setting up SSL over  our webserver. It is required to have unsecured version of this file as  with Windows Apache + OpenSSL setup it's not possible to specify  "pass-phrase" (which we have given earlier) and it will give some weired  error while setting up SSL and apache will refuse to start and generate  errors in log for that.
So to get Unsecured version of this file type following command:
OpenSSL rsa -in digitss.key -out unsecured.digitss.key
Enter pass phrase for digitss.key:
writing RSA key
OpenSSL　　Here, digitss.key is the file which we have previously generated and  it is encrypted (3-DES), and -out file is the one which will be  generated based on our request in non-encrypted form. During this  process it will ask for pass-phrase as usual.
　　Now let's move to final step which is generation of CSR file using  RSA private key. Following command will generate Certificate Signing  Request file for us which will be PEM formatted. Key in following  command:
OpenSSL req -new -key digitss.key -out digitss.csr　　If you are running over Windows then probably you will get error  which I have faced during this. It would be something similar to  following:
OpenSSL req -new -key digitss.key -out digitss.csr
Unable to load config info from /usr/local/ssl/openssl.cnf　　In that case we need to specify one more parameter in this command and we are done.
OpenSSL req -new -key digitss.key -out digitss.csr -config openssl.cnf　　Here, in this command we are making request for generation of CSR  file with our private key generated previously and here we have  specified configuration file as "openssl.cnf" as one more parameter. If  this file doesn't exist in apache/bin directory then either move it  there or specify full path. After keying in above command it will prompt  you with few parameters/questions and that's it we are done.
Here is the list of question you need to answer as in you type above  command to generate CSR file. Provided for your reference just as an  example.
OpenSSL req -new -key digitss.key -out digitss.csr -config openssl.cnf
Enter pass phrase for digitss.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Newyork
Locality Name (eg, city) []:Bellrose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DiGiTSS Inc
Organizational Unit Name (eg, section) []:DiGiTSS
Common Name (eg, YOUR name) []:www.digitss.com
Email Address []:dharmavir@digitss.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:blogs@DiGiTSS
OpenSSL　　We are almost done, now we need to send this generated CSR file to a  Certifying Authority (CA) for signing, they will send back us Real  Certificate CRT file with the help of which we can setup SSL over our  webserver running Apache and OpenSSL. We can either send it to Verisign, Thawte Consulting,  CertiSign Certificadora Digital Ltd or  GoDaddy.
Please note that I have used all commands on Linux server as well and they will work same as they they work on Windows.
　　For more advance options or more help you can refer to www.modssl.org's FAQ section.
  Have your comments on this post.