Certificate Signing Request (CSR) Generation Instructions for Redhat Secure Web Server

General Information ID:    INFO802    Updated:    06/13/2017

Description


To generate a CSR, you will need to create a key pair for your server. These two items comprise a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match. In this case you will need to replace the certificate, with generating a new keypair.

Symantec recommends that you contact the Redhat Secure Web Server vendor for additional information.


Step 1: Generate a Private Key


NOTE: If you're using Official Red Hat Linux Professional, you can choose whether or not to enable the password feature. This will require you to enter the password every time you start your secure server.
Symantec recommends that you use the password feature to increase the level of security.

With Password Feature

  1. Use the cd command to move to the /etc/httpd/conf directory.
     
  2. As root, type the command: “make genkey” 
     
  3. Your key will be generated and you will be asked to enter and confirm a password. You will need to enter this password every time you start your secure Web server.
     
  4. Your key will be created and saved to a file named server.key. If you're using Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key directory.
     

Without Password Feature

  1. Use the cd command to move to the /etc/httpd/conf directory.
     
  2. As root, type the command all on one line:

    /usr/sbin/sslgenrsa -rand /dev/urandom -out ssl.key/server.key 2048
     
  1. Set the correct permissions on your key with the command:   

    chmod go-rwx ssl.key/server.key
     
  2. Your key will be created and saved to a file named server.key. If you're using Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key directory.
     
Step 2: Create the Certificate Signing Request
 
  1. In the /etc/httpd/conf directory, become root and type in one of the following two commands:
     
    • For Official Red Hat Linux Professional, type in the following command:
         
      make certreq

       
    • For Official Red Hat Linux Professional, International Edition, type in the following command (all on one line): 

      /usr/bin/openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr

       
  2. If you used a password when you generated your key, you will be prompted for it.
     
  3. Enter information as prompted. Your inputs will be incorporated into the CSR.
  • Common Name : The Common Name is the Host + Domain Name. It looks like "symantec.com" or "symantec.com"
    Symantec certificates can only be used on Web servers using the Common Name specified during enrollment. For example, 
    a certificate for the domain "symantec.com" will receive a warning if accessing a site named "symantec.com" or 
    "secure.symantec.com", because "symantec.com" and "secure.symantec.com" are different from "symantec.com".
  • Organization Information: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.
  • The “Organizational Unit” field is the name of the department or organization unit making the request.
  • The Locality field is the city or town name, for example: Berkeley.
  • State: Do not abbreviate the state or province name, for example: California.
  • Country: Use the two-letter code without punctuation for country, for example: US or CA.
     
  1. A file named server.csr will be created. If you're using Official Red Hat Linux Professional, server.csr will be located in the /etc/httpd/conf/ssl.csr directory.
     
  2. You have just created a key pair and a CSR.
     
  3. The server.csr file contains your certificate request. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
     
  4. Verify your CSR
     
  5. Proceed with the Enrolment.

Contact Information
 
          During the verification process, Symantec may need to contact your organization. Be sure to provide an email address,
          phone number, and fax number that will be checked and responded to quickly. These fields are not part of the certificate.
 

Once the certificate has been issued, follow the steps from this link to install the certificate on your server: AR146

 

Contact Support

Find Answers