SSL Certificates
CSR
Generating
With (private) key in hand you can generate a CSR:
openssl req -new -sha256 -key ssl-certificate.key -out ssl-certificate.csr
You should be prompted for something vital information which may be presented to the end user to help them decide if you're trustworthy. It is here that you're asked for the certificate's Common Name. Spell it right!
- Country Name (2 letter code) [AU]:
- State or Province Name (full name) [Some-State]:
- Locality Name (eg, city) []:
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:
- Organizational Unit Name (eg, section) []:
- Common Name (eg, YOUR name) []:
- Email Address []:
Finding something appropriate to put in for Organizational Unit Name might be quite tricky but otherwise there's no excuses not to put something in for each of these fields.
A little later we'll be generating self-signed certificates (and other non-webserver SSL certificates). For these we might put something more imaginative in: example.com CA Root Certificate, perhaps.
As an aside, not knowing the machinations of the global CAs it would probably be best if you answered the questions about your location truthfully and put in a meaningfull email address.
Checking
To check your CSR you can do the following:
openssl req -in ssl-certificate.csr -noout -text
which should give you some output including a Subject: line that should have the details you've just entered.
SHA256
SHA1 is being deprecated so ensure you pass -sha256 for the digest algorithm and you can check the above output says:
Signature Algorithm: sha256WithRSAEncryption
Document Actions