First you have to know the Fully Qualified Domain Name (FQDN) of the
website for which you want to request a certificate. When you want to
access your website through https://www.virtualhost.com/
then the FQDN of your website is www.virtualhost.com
www.virtualhost.com will be your
Generate the Key with the following
$ openssl genrsa -des3 -out www.virtualhost.com.key 1024
command will generate 1024 bit RSA Private Key and stores it in the
will ask you for a pass phrase: use something secure and remember it.
Your certificate will be useless without the key. If you don't want to
protect your key with a pass phrase (only if you absolutely trust that
server machine, and you make sure the permissions are carefully set so
only you can read that key) you can leave out the -des3 option above.
file and make a note of the pass phrase. A good choice is to backup this
information onto a diskette or other removeable media.
the CSR with the following command:
$ openssl req -new
command will prompt you for the X.509 attributes of your certificate.
Remember to give the name www.virtualhost.com
when prompted for 'Common Name (eg, YOUR name)'.
Do not enter
your personal name here. We are requesting a certificate for a
webserver, so the Common Name has to match the FQDN of your website (a
requirement of the browsers).
Generate a temporary
$ openssl x509 -req -days 30
-in www.virtualhost.com.csr -signkey
command will generate a certificate a self-signed certificate in www.virtualhost.com.crt which
can be used as a temporary certificate while you are waiting for a real
certificate from Thawte.
You will now have a RSA Private Key
and a Certificate Signing Request in www.virtualhost.com.csr.
is your secret key, and must be installed as per the instructions that
come with mod_ssl. The file www.virtualhost.com.csr
is your CSR, and the important bit looks something like this:
The CSR in www.virtualhost.com.csr is
what you now paste into theappropriate online enrolment form.
take a note of the format above.
Note: Generating the
private key with the passphrase will mean that the same passphrase will
need to be entered after restarting the server.
In order to allow
your mod_ssl-secured Apache server work with our certificates we
recommend you to use the latest versions of Apache, mod_ssl and OpenSSL.
distribution tarballs can be found at the following locations:
installation instructions can be found in the INSTALL files in all
The utility (openssl) that you use to generate
the RSA Private Key (Key) and the Certificate Signing Request (CSR)
comes with Openssl and is usually installed under the directory
SSL_BASE/bin where SSL_BASE is the path you specified for building
Apache+mod_ssl either with the
--with-openssl option or the