OpenSSL is used to generate the key file and CSR for your certificate. This is a common package and is available on all of the major Linux distributions through their package installers. You will also be able to find installers for MAC and Windows. This tutorial outlines the step with Linux.
To check whether it is installed on a system that uses yum (such as CentOS or Red Hat Enterprise Linux), run the following command.
rpm -qa | grep -i openssl
The preceding command should return the following or similar packages:
openssl-1.0.1e-48.el6_8.1.x86_64 openssl-devel-1.0.1e-48.el6_8.1.x86_64 openssl-1.0.1e-48.el6_8.1.i686
If these packages are not returned, install OpenSSL by running the following command:
yum install openssl openssl-devel
To check whether OpenSSL is installed in a Debian or Ubuntu system, run the following command:
dpkg -l |grep openssl
You should receive the following output.
ii libgnutls-openssl27:amd64 2.12.23-12ubuntu2.4 amd64 GNU TLS library - OpenSSL wrapper ii openssl 1.0.1f-1ubuntu2.16 amd64 Secure Sockets Layer toolkit - cryptographic utility
If you don’t see the expected output, install OpenSSL, run the following command:
apt-get install openssl
Generate the RSA key
Run the following commands to create a directory in which to store your RSA key, substituting a directory name of your choice:
mkdir ~/my_ssl/ cd ~/my_ssl/
Run the following command to generate a private key:
openssl genrsa -out ~/my_ssl/my.domain.com.key 2048
Create a CSR
Type the following command to create a CSR with the RSA private key (output is in PEM format):
openssl req -new -sha256 -key ~/my_ssl/my.domain.com.key -out ~/my_ssl/my.domain.com.csr
When prompted, enter the necessary information for creating a CSR by using the conventions shown in the following table.
Note: The following characters cannot be used in the Organization Name or theOrganizational Unit: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
|Common Name||The fully qualified domain name for your web server. This must be an exact match.||If you intend to secure the URL https://www.yourdomain.com, then your CSR’s common name must be www.yourdomain.com. If you plan to get a wildcard certificate, make sure to prefix your domain name with an asterisk, for example: *.domain.com.|
|Organization Name||The exact legal name of your organization. Do not abbreviate your organization name.||domain.com|
|Organizational Unit||Section of the organization.||IT|
|City or Locality||The city where your organization is legally located.||Wellesley Hills|
|State or Province||The state or province where your organization is legally located. Do not use an abbreviation.||Massachusetts|
|Country||The two-letter ISO abbreviation for your country.||US|
Verify your CSR
Run the following command to verify your CSR:
openssl req -noout -text -in ~/my_ssl/my.domain.com.csr