1. Please make sure that you system has already being installed with openssl. You may test this using a simple command run through your system terminal or SSH session.
openssl
if you find your system is not installed with openssl, you may install the package using below command.
Red Hat/CenTOS
yum install openssl openssl-devel
Ubuntu/Debian
apt-get install openssl
2. Once you have confirmed your system has been installed with openssl, you may now proceed with the first important step which is generating your private key. it is also called as your password file for installing your ssl certififcate. Please use below command to generate your private key file.
Caution: Loosing this file will require you to regenerate the private key, CSR file and go through the SSL Signing process with your CA (Certififcate Authority) again.
Create a folder/directory that will be used to store your SSL files.
mkdir ~/domain.com.ssl/ cd ~/domain.com.ssl/
Remember to change the directory name from domain.com.ssl to <your domain name>.ssl. This will ease you to find your SSL certificate after this. Once done, you will need to proceed with below command.
openssl genrsa -out domain.com.key 2048
Again, remember to change the name from domain.com.key to <your domain name>.key.
3. Now, you can proceed to generate the CSR (Certificate Signing Request) file. Please use below command.
openssl req -new -sha256 -key <your domain name>.key -out <your domain name>.csr
Below are sample output from the command above.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:MY
State or Province Name (full name) []:Wilayah Persekutuan
Locality Name (eg, city) [Default City]:Kuala Lumpur
Organization Name (eg, company) [Default Company Ltd]:mydomain Sdn Bhd
Organizational Unit Name (eg, section) []:IT ARM
Common Name (eg, your name or your server's hostname) []:mydomain.com
Email Address []:<my email address>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Take note on the most important variable required in the CSR generation.
- Country Name - You will need to key in 2 letter country code. You may refer to this URL for more info. However, if you are from and meant to use for Malaysia, then you can just use MY as the country code.
- Common Name - Or most of the time known as CN. This is the actual Domain name that you want to be trusted by the CA. for example: mydomain.com. Please take note that CA server will automatically trust www.mydomain.com as a trusted domain under this certificate.
- As for the rest of the variables are only become important when you are enrolling for OV (organization Validation) or EV (Extended Validation).
- Challenge password can also be use to hardened your ssl certificate. However, if you loose or forget the password. You will need to go through SSL regeneration and registration process.
4. Upon a successfull generation process, you will be able to see there are two files stored in your ssl directory. which is .key file and also .csr file.
WHAT YOU NEED TO DO NEXT?
- Submit your CSR for CA (Certificate Authority) Signing.
