Generating CSRs

Before you can order an SSL Certificate, you must first generate a CSR (Certificate Signing Request) for your server. A CSR is an encoded file that provides you with a standardized way to send us your public key along with some information that identifies your company and domain name. When you generate a CSR, most server software asks for the following information: common name (i.e. www.example.com), organisation name, and location (country, state/province, city/town), key type (typically RSA), and key size (2048 bit minimum). OpenSSL a standard command used in this process.

How do I generate a CSR for my SSL certificate Provider?

  1. Log into the server as Administrator.
  2. Open the Certificate Manager console (click Start > Search programs and files > certmgr.msc).
  3. Open your Local Computer certificates (click File > Add/Remove Snap-in... > Certificates > Computer account > Next > Local computer > Finish).
  4. Select Certificates (Local Computer) > Personal > Certificates.
  5. With the Personal Certificates for the Local Computer highlighted, click Action > All Tasks > Advanced Operations > Create Custom Request. This will open the Certificate Enrollment wizard.
  6. In the Certificate Enrollment wizard:
    1. Read the Before You Begin screen and click Next.
    2. On the Select Enrollment Policy screen, under Custom Request, select Proceed without enrollment policy and click Next.
    3. On the Custom request screen
      1. For Template, choose "(No template) Legacy key" from the drop-down menu, and leave "Suppress default extensions" unchecked.
      2. For Request format, select PKCS#10.
      3. Click Next.
    4. On the Certificate Enrollment screen, click Details, then click Properties. This will open a Certificate Properties dialog box.
      1. On the General tab, enter a Friendly name and Description for your certificate.
      2. On the Subject tab
        1. Select Common Name from the Type menu, enter your Fully Qualified Domain Name (FQDN) for the value, and click "Add >".
        2. Select Organization from the Type menu, enter your organziation name for the value, and click "Add >".
        3. Select State from the Type menu, enter The abbrivation for the state you are in for the value, and click "Add >".
        4. Select Country from the Type menu, enter 2 letters for the country you are in for the value, and click "Add >".
        5. Optionally, select Email from the Type menu, enter an email address for the value, and click "Add >".email.
        6. Optionally, add Subject Alternative name values, if you need them.
      3. On the Extensions tab
        1. Expand "Key usage" and add "Digital signature" to the selected options, and verify that "Make these key usages critical" is checked.
        2. Expand "Extended Key Usage (application policies)" and add "Server Authentication" and "Client Authentication" to the selected options, and verify that "Make the Extended Key Usage critical" is checked.
      4. On the Private Key tab
        1. Expand Cryptographic Service provider and select "Microsoft Strong Cryptographic Provider (Signature)".
        2. Expand Key Options and select "2048" from the Key size drop-down menu.
        3. If you will need to export the certificate to use on another host, select "Make private key exportable". This will be important if you have a server cluster or you will be using the new "Central Certificate Store" option available with IIS8.
    5. Click OK.
    6. On the Certificate Information screen, click Next.
      1. Enter a file name for your CSR (e.g. certname.req)
      2. Select "Base 64" as the File Format.
      3. Click Finish.
         

If the above sequence doesn't work for you - in particular, if step 6.4.4.1 is impossible because the provider in question is greyed out - try the alternative method described in the following articles:

 

Generating a Certificate Signing Request

To install a digital certificate, you must first generate and submit a Certificate Signing Request (CSR) to the Certification Authority (CA). The CSR contains your certificate-application information, including your public key. Use your Web server software to generate the CSR, which will also create your public/private key pair used for encrypting and decrypting secure transactions.

If you are applying for an SSL certificate for a domain that is hosted with us, we generate and submit the CSR for you.

Most third-party SSL certificates are compatible with our secure server software.

NOTE: When generating your CSR, specify a key size of 2048 or higher.

About the Distinguished Name

During the creation of the CSR, you will be prompted to provide certain information about your organization. The Web server software will use this information to create your Web server certificate's distinguished name (DN). Distinguished names uniquely identify individual servers:

The distinguished name contains the following information:

Country Code: The two-letter International Organization for Standardization (ISO-) format country code for the country in which your organization is legally registered. Click here for a complete list of ISO country codes.

State/Province: Name of state, province, region, territory where your organization is located. Please enter the full name. Do not abbreviate

City/Locality: Name of the city/locality in which your organization is registered/located. Please spell out the name of the city/locality. Do not abbreviate.

Organization: The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as a small business/sole proprietor, please enter the certificate requester's name in the "Organization" field, and the DBA (doing business as) name in the "Organizational Unit" field.

Organizational Unit: Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you can enter the DBA (doing business as) name in this field.

Common name: The name entered in the "CN" (common name) field of the CSR MUST be the fully-qualified domain name (FQDN) for the website you will be using the certificate for (e.g., "www.domainnamegoeshere"). Do not include the "http://" or "https://" prefixes in your common name. Do NOT enter your personal name in this field.

If you are requesting a wildcard certificate, add an asterisk (*) on the left side of the common name (e.g., "*.domainnamegoeshere.com"). This will secure all subdomains of the common name.

 

NOTE: If you enter "www.example.com" as the common name in your certificate signing request, the certificate will secure both "www.example.com" and "example.com."

 

 

 

Generating CSRs in Linux

 

Before you can request your SSL, you must generate a Certificate Signing Request (CSR) From your server. When you have completed generating your CSR, cut/copy and paste it into the CSR field on the SSL certificate-request page.

To Generate CSRs in Linux

  1. Connect to your server via SSH.
  2. Run the following command:
    openssl req -new -newkey rsa:2048 -nodes -keyout your domain name.key -out your domain name.csr

    Replace your domain name with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.

  3. Enter the requested information:
    Field What to enter...
    Common Name The fully-qualified domain name, or URL, you want to secure.
    If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.
    Organization The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor's name.
    Organization Unit If applicable, enter the DBA (Doing Business As) name.
    City or Locality Name of the city where your organization is registered/located. Do not abbreviate.
    State or Province Name of the state or province where your organization is located. Do not abbreviate.
    Country The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.
    Passphrase (Optional): A password for the SSL. If you leave this field blank, there is no password for the SSL, which can expose you to additional risks.
  4. Open the CSR in a text editor and copy all of the text.
  5. Paste the full CSR into the SSL request area in your account.

  

Installing an SSL Certificate in Microsoft IIS 8

First, you must install the intermediate certificate included in your bundle to your Microsoft® IIS 8 server. Then, to install the primary SSL certificate, you must complete the pending request, bind the certificate to your website, and then restart your site.

To Install an Intermediate Certificate in Microsoft IIS 8

  1. Click Start, and then click Run....
  2. Type mmc, and then click OK. The Microsoft Management Console (Console) window opens.
  3. In the Console1 window, click the File menu, and then select Add/Remove Snap-in.
  4. In the Add or Remove Snap-in window, select Certificates, and then click Add.
  5. In the Certificates snap-in window, select Computer Account, and then click Next.
  6. In the Select Computer window, select Local Computer, and then click Finish.
  7. In the Add or Remove Snap-in window, click OK.
  8. In the Console1 window, click + to expand the folder.
  9. Right-click Intermediate Certification Authorities, mouse-over All Tasks, and then click Import.
  10. In the Certificate Import Wizard window, click Next.
  11. Click Browse to find the intermediate certificate file.
  12. In the Open window, change the file extension filter to PKCS #7 Certificates (*.spc;*.p7b), select the *_iis_intermediates.p7bfile, and then click Open.

    NOTE: Do not install your Leaf Certificate in this area. Doing so removes your certificate from the list, and you must reinstall to correct the problem.

  13. In the Certificate Import Wizard window, click Next.
  14. Select Place all certificates in the following store, and then click Browse.
  15. In the Select Certificate Store window, select Intermediate Certification Authorities, and then click OK.
  16. In the Certificate Import Wizard window, click Next.
  17. Click Finish.
  18. Click OK.
  19. Close the Console 1 window, and then click No to remove the console settings.

To Install an SSL Certificate in Microsoft IIS 8

  1. Launch the Server Manager.
  2. From Tools, select Internet Information Services (IIS) Manager.
  3. In the Connections panel on the left, click the server name for which you want to generate the CSR.
  4. In the middle panel, scroll to the bottom, and then double-click Server Certificates.
  5. In the Actions panel on the right, click Complete Certificate Request....
  6. Do the following to install the certificate, and then click OK:
    • File name containing the certificate authority's response — Click ..., locate the .crt file on your computer, and then click Open.
    • Friendly name — Enter a unique name to identify the SSL certificate. For wildcard SSL certificates, make sure your friendly name matches your common name (such as *.coolexample.com).
    • Select a certificate store for the new certificate — Select Personal.
  7. In the Connections panel on the left, select the name of the server on which you installed the certificate.
  8. Click + to expand Sites, and then select the site you want to secure with the SSL certificate. (This process is called binding.)
  9. In the Actions panel on the right, click Bindings....
  10. Click Add....
  11. Do the following to configure the settings, and then click OK:
    Field What to do...
    Type Select https.
    IP address Select All Unassigned, or select the IP address of the site.
    Port Type 443.
    SSL Certificate Select the SSL certificate you just installed.
  12. In the Actions panel on the right, click Restart to complete the installation process.

Visit your website at https://www.example.com (replacing example.com with your domain name) to verify the installation. If you have problems, we recommend using the CA Security Council's SSL Configuration Checker for information about your SSL's configuration and to help diagnose issues.

NOTE:As a courtesy, we provide information about how to use certain third-party products, but we do not endorse or directly support third-party products and we are not responsible for the functions or reliability of such products.

 
 
Tag page
You must login to post a comment.