In order to get an SSL certificate and key (for use by an httpd server, for example), you must first create a Certificate Signing Request (CSR). The CSR can be sent to a commercial Certificate Authority (CA) which will then return an SSL certificate. Alternatively, you can be your own CA and use the CSR to create a self-signed certificate. Here is a typical openssl command and the resulting interactive session:
> openssl req -new -newkey rsa:2048 -keyout hostkey.pem -nodes -out hostcsr.pem Generating a 2048 bit RSA private key ........++++++ ........++++++ writing new private key to 'hostkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Illinois Locality Name (eg, city) :Urbana Organization Name (eg, company) [Internet Widgits Pty Ltd]:NCSA Organizational Unit Name (eg, section) :Security Research Division Common Name (eg, YOUR name) :Terry Fleury Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : >
First, an explanation of the command line options:
Next, an explanation of the interactive session. At each prompt, you will see brackets ([ ]) which may or may not contain text. That text is the default option for that prompt. If you simply hit the <ENTER> key at this point without typing any text, the text in the brackets will be used. If there is text in the brackets that you DON'T want (i.e. you want to erase the text for that prompt), type a period (.) and then hit <ENTER>. Note that you cannot have all fields be empty.
Note: If you are planning on using this CSR to create a self-signed certificate, then at the prompt “Common Name (eg, YOUR name) :”, enter the fully qualified domain name (FQDN) of your web server. This will prevent a “domain name mismatch” error box from appearing when clients connect to your web site.
At the end of the session, you are prompted for 'extra' attributes. I typically leave these blank (i.e. type <ENTER>) as they are ignored by OpenSSL's request signing utilities, but some CAs may want them.