SSL Generating Certificate Signing Requests Page 1
Contents Introduction... 1 What is a CSR?... 2 IIS 8... 2 IIS 7... 7 Apache... 12 Generate a Key Pair... 12 Generate to CSR... 13 Backup your private key... 15 Plesk Onyx... 15 Plesk 12... 20 WHM... 24 cpanel... 27 Other operating systems... Error! Bookmark not defined. After generating your CSR... Error! Bookmark not defined. Page 2
Introduction SSL secures all website traffic between two points, ensuring that any data shared between your customers and your webserver is safe and secure. It achieves this in two ways: 1 It encrypts the data between the two computers, preventing anyone from eavesdropping on your communications. 2 It confirms the identity of the website you are communicating with. The transfer of data is achieved using public key encryption. This involves generating two very large prime numbers. The first is used as your private key and should be kept secret from everyone. The other forms your public key, and is available to everyone to view. With this information it is possible to create a self signed SSL certificate that encrypts data between two end points. However the end user cannot be sure that you are who you say you are. As such their web browser will provide warnings to anyone attempting to view your site over SSL. To avoid these errors, you need to prove the identity of your website. This is achieved by enrolling for a digitally signed certificate from a trusted authority. Your computer inherently trusts a number of companies (called Certificate authorities). By creating a public and private key, you can ask a trusted certificate authority to digitally sign your certificate. As your computer trusts the Certificate authority, it will also trust the identity of anyone who has their identity confirmed by having their certificate signed by such an authority. Page 1
What is a CSR? During a Certificate Signing Request (CSR) your computer will generate the private and public keys needed to encrypt data between yourself and your customers. It will also record information regarding your company or organization. This information can then be sent to a Certificate Authority that will check the information provided and sign your certificate. Once you have received your signed certificate you can install it on your server and start encrypting traffic to and from your website. The process for generating a Certificate signing request differs slightly depending upon which operating system or control panel software you are using. IIS 8 Step 1 From within Server Manager select Internet Information Services (IIS) Manager from the Tools drop-down menu. Page 2
Step 2 In the IIS Manager, choose your server name. Step 3 In the Features pane (the middle pane), open the Server Certificates icon. This will be located in the IIS section, or the Security section, depending upon how you are grouping your icons. Page 3
Step 4 Click Create Certificate Request. This is located in the right hand pane marked Actions. Step 5 The first screen of the wizard asks for details regarding the new site. The common name should match the fully-qualified domain name for the site. Otherwise, provide information about your site, making sure to spell out the name of your state and locality. You will be prompted to enter additional information regarding your website. In the form provided, enter the following details: Common Name: The Common Name is the Host + Domain Name. It looks like "www.domain.com" or domain.com". Page 4
Quick tip: The Common Name must be the same as the Web address you will be accessing when connecting to your secure site. For example, an SSL Server Certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "shop.domain.com", as "www.domain.com" and "shop.domain.com" are different from "domain.com". Organization: The Organization Name is your Full Legal Company or Personal Name. Organizational Unit: This field is optional; The Organizational Unit field is the name of the department or organization unit making the request. City/Locality: Is the city or area in which you are based; E.g. Gloucester. State/province: Is the area in which you are based. E.g. Gloucestershire. Country/region: Select the two digit country code for your organization from the drop down list provided. E.g GB, US or CA for Great Britain, United States of America or Canada respectively. Quick tip: A full list of country codes is available in the appendix of this guide. Page 5
Step 6 Click Next to continue. Step 7 Next, you are asked to choose cryptography options. Leave the default setting of Microsoft RSA SChannel Cryptographic Provider, but change the Bit length to 2048. Click Next to continue. Page 6
Step 8 Finally, provide a filename to which to save the certificate request. You will need to retrieve this file later, so make a note of the name and location. IIS 7 Step 1 Choose Start > Administrative Tools > Internet Information Services (IIS) Manager. Step 2 In the IIS Manager, choose your server name. Page 7
Step 3 In the Features pane (the middle pane), open the Server Certificates icon. This will be located in the IIS section, or the Security section, depending upon how you are grouping your icons. Step 4 Click Create Certificate Request. This is located in the right hand pane marked Page 8
Actions. Step 5 The first screen of the wizard asks for details regarding the new site. The common name should match the fully-qualified domain name for the site. Otherwise, provide information about your site, making sure to spell out the name of your state and locality. You will be prompted to enter additional information regarding your website. In the form provided, enter the following details: Common Name: The Common Name is the Host + Domain Name. It looks like "www.domain.com" or domain.com". Quick tip: The Common Name must be the same as the Web address you will be accessing when connecting to your secure site. For example, an SSL Server Certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "shop.domain.com", as "www.domain.com" and "shop.domain.com" are different from "domain.com". Organization: The Organization Name is your Full Legal Company or Personal Name. Organizational Unit: This field is optional; The Organizational Unit field is the name of the department or organization unit making the request. Page 9
City/Locality: Is the city or area in which you are based; E.g. Gloucester. State/province: Is the area in which you are based. E.g. Gloucestershire. Country/region: Select the two digit country code for your organization from the drop down list provided. E.g GB, US or CA for Great Britain, United States of America or Canada respectively. Quick tip: A full list of country codes is available in the appendix of this guide. Step 6 Click Next to continue. Page 10
Step 7 Next, you are asked to choose cryptography options. Leave the default setting of Microsoft RSA SChannel Cryptographic Provider, but change the Bit length to 2048. Click Next to continue. Step 8 Finally, provide a filename to which to save the certificate request. You will need to retrieve this file later, so make a note of the name and location. Page 11
Apache To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. Note: Your SSL Certificate matches this key pair, so if you lose your public/private key file, or you need to re-generate your password, your SSL certificate will no longer work and a new one will need to be requested. Generate a Key Pair openssl is used to generate the key and CSR. This utility comes pre-installed on our dedicated and Virtual servers under /usr/local/ssl/bin. Step 1 Type the following command at the prompt for an encrypted key: 1 openssl genrsa des3 out www.mydomain.com.key 2048 This command generates a 2048 bit RSA private key and stores it in the file www.mydomain.com.key. Page 12
Step 2 When prompted for a pass phrase: Enter a secure password and remember it. This pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL. Generate to CSR Step 1 Type the following command at the prompt: 1 openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr Step 2 This command will prompt for the following X.509 attributes of the certificate: Country Name (C): Select the two digit country code for your organization. A list of country codes can be found in the appendix of this guide. State or Province (S): Is the area in which you are based. E.g. Gloucestershire. Locality or City (L): Is the city or area in which you are based; E.g. Gloucester. Organization (O): The Organization Name is your Full Legal Company or Personal Name. If your company or department has an &, @, or any other Page 13
symbol using the shift key in its name, you must spell out the symbol or omit it to enrol. Example: Smith & Son would be Smith and Son. Organizational Unit (OU): This field is optional; The Organizational Unit field is the name of the department or organization unit making the request. Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.domain.com" or domain.com". The Common Name must be the same as the Web address you will be accessing when connecting to your secure site. For example, a SSL Server Certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "shop.domain.com", as "www.domain.com" and "shop.domain.com" are different from "domain.com". Don t enter your email address, challenge password or an optional company name when generating the CSR. Your public/private key pair has now been created. The private key (www.domain.com.key) will be stored locally on the server machine and should be kept safe. The public key, in the form of a Certificate Signing Request (certrequest.csr), will be used in generating your certificate. Step 3 Open the file in a text editor, such as Vi, and save it as a.txt file. Quick tip: Use a text editor to copy and paste your CSR into the enrolment form. Word processors such a Microsoft Word can add formatting information into your text and cause your CRS to fail. Page 14
Step 4 Once the CSR has been created, proceed to Enrolment. Backup your private key It s good practice to make a backup of your.key. While it is not essential that you keep a backup of this key and your pass phrase, it may be important in cases of server failure. Plesk Onyx Step 1 In the Plesk control panel, select Domains from the Hosting Services section within the left menu bar. Step 2 Click on the domain you wish to add the certificate to. Step 3 Page 15
Select the SSL/TLS Certificates icon. Page 16
Step 4 Click on the Add SSL/TLS Certificate icon. Step 5 Enter a Certificate Name to help you identify this certificate. In the example below we've named it after the domain name the certificate is for, to make it quickly and easily identifiable. Step 6 Make sure you select 2048 from the Bits dropdown menu. Step 7 You also need to enter your company address, the domain name the certificate will protect, and a valid email address. These details must be accurate as they will be used to generate your private key. After the details have been filled in click the Request button. Page 17
Page 18
Step 8 You will be directed back to the SSL Certificates section. From here you will need to click on the certificate that has just been created. Step 9 Copy the entire CSR part from where the text starts with -----BEGIN CERTIFICATE REQUEST----- to where it ends with -----END CERTIFICATE REQUEST----- save this to a notepad file. Step 10 You will need to provide this to your chosen certificate authority (the company you are purchasing your SSL certificate from). They will then provide you with at the certificate part to upload to Plesk. Page 19
Plesk 12 Step 1 Log in to Plesk on your server as the server administrator and click on Domains in the Hosting Services menu. Step 2 Click on the Open in Control Panel link next to the domain name you want to add the SSL certificate to. Step 3 Click the Show More button at the bottom of the Websites & Domains section. Page 20
Step 4 Click on the Secure Your Sites icon. Step 5 Click the Add SSL Certificate icon. Step 6 Enter a Certificate Name to help you identify this certificate. In the example below we've named it after the domain name the certificate is for, to make it quickly and easily identifiable. Page 21
Step 7 You also need to enter your company address, the domain name the certificate will protect, and a valid email address. These details must be accurate as they will be used to generate your private key. Click the Request button when you've entered the information. You'll see a confirmation message that the certificate has been created. Step 8 Locate the newly created certificate in the list and click on it to see it's properties. Scroll down and find the CSR section. Copy all the text that starts with: -----BEGIN CERTIFICATE REQUEST----- and ends with -----END CERTIFICATE REQUEST----- Page 22
Step 9 Visit the web site of your chosen certificate authority and follow their procedures to purchase your certificate. When prompted, paste the CSR text you copied in the previous step into their online form. They will then generate your certificate. Save the generated certificate file to your local machine. Page 23
WHM Step 1 Login to WHM as an Administrator and Select Generate an SSL Certificate and Signing Request from the SSL/TLS section of the left menu. Step 2 In the Contact Information section you can choose to have the certificate parts email to you. To do so check the box labelled When complete, email me the certificate, key and CSR and enter your email address into the Email Address field. Page 24
Step 3 Select a key size value from the Key Size drop down menu. 2,048bits is recommended. Step 4 Fill out the CSR form using the fields provided. Domains: Enter the domain name that you want to add SSL to. City: Enter the City that the domain's registrant details contain. State: Enter the State or County that the domain's registrant details contain. Country: Select the domain registrant's country from the dropdown menu. Company Name: Enter your company name. Company Division: Enter the division within your company. Email: Enter the domain registrant's email address. Passphrase: Enter a passphrase (optional). Once finished, click the Create button to generate the CSR. Page 25
Step 5 Copy the entire Encoded Certificate Signing Request from the start of the line reading: -----BEGIN CERTIFICATE REQUEST----- To the end of the line reading: -----END CERTIFICATE REQUEST----- Paste this into a notepad file for safe keeping. Page 26
cpanel Step 1 Log in to cpanel, scroll down to the Security section and click the SSL/TLS Manager icon. Step 2 Click the link Generate, view or delete SSL certificate signing requests. Page 27
Step 3 Fill out the CSR form using the fields provided. Key: Leave this field set at Generate a new 2,048 bit key. Domains: Enter the domain name that you want to add SSL to. City: Enter the City that the domain's registrant details contain. State: Enter the State or County that the domain's registrant details contain. Country: Select the domain registrant's country from the dropdown menu. Company: Enter your company name. Company Division: Enter the division within your company. Email: Enter the domain registrant's email address. Passphrase: Enter a passphrase (optional). Description: Enter a description (optional). Page 28
Step 4 Copy the entire Encoded Certificate Signing Request from the start of the line reading: -----BEGIN CERTIFICATE REQUEST----- To the end of the line reading: -----END CERTIFICATE REQUEST----- Paste this into a notepad file for safe keeping. Step 5 You will need to provide this to your chosen certificate authority (the company you are purchasing your SSL certificate from). They will then provide you with the certificate part to upload to cpanel. Paste this into a notepad file for safe keeping. Page 29