Generate a Certificate Signing Request (CSR) and install a certificate for your server
Generate a Certificate Signing Request (CSR) and install a certificate for your server. Send the generated CSR file to NDSU IT Security through Secure FileTransfer at email@example.com.
Subject = "CN=SERVERNAME.ndsu.edu, O=North Dakota University
System, OU=NDSU, L=Fargo, S=North Dakota, C=US, E=cert-
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID=22.214.171.124.126.96.36.199.1 ;this is for Server Authentication
certreq -new reqInstructionFile.inf nameofserverYYYYMMDD.req
certreq -accept nameofserverYYYYMMDD.crt
Unix-based hosts can use OpenSSL to generate a CSR request.
Before you run the
openssl command to generate the certificate signing request (CSR), you should choose a good, long passphrase to use for securing the SSL secret key. You should store the passphrase in a secure location as there is no way to retrieve it.
When prompted, enter the strong PEM passphrase and following data points:
$ openssl req -sha256 -newkey rsa:2048 -keyout nameofserver.ndsu.edu.key.enc -out nameofserver.ndsu.edu.csr
openssl rsa -in secure.key.enc -out secure.key
-sha256, as all new certificates should use SHA256 as the signing algorithm
rsa:2048, as 1024 bit keys are no longer supported
-days 1065or change it to some other value, as appropriate. GlobalSign ignores days setting
/dev/randomor equivalent, you should use the openssl
It is essential that you store the key passphrase and the secret key securely. File permissions for the secret key should be
600 and the file should be owned by
Other hosts you will need to research the CSR procedure on your own.