This article will explain how you can create and install an SSL certificate. The same procedure applies in several different cases such as in case you are getting a traditional SSL from (e.g. Verisign), if you are using a self-signed certificate or the '*' Wildcard certificate.
Prerequisites
Make sure that the Openssl is installed on your server, this is a common package and will be available on all of the major distros through their package installer. In order to check if it is installed, issue the following command:
# rpm -qa | grep -i openssl
The above command should return the following packages, or something similar:
openssl-0.9.8e-7.el5 openssl-0.9.8e-7.el5 openssl-devel-0.9.8e-7.el5
If that is not the case run the following:
# yum install openssl openssl-devel
Generate the RSA key
Create a RSA key for your Apache server, since every distro is different in where the certificate is placed, we are just going to place it in an arbitrary spot:
# mkdir ~/domain.com.ssl/ # cd ~/domain.com.ssl/
Type the following command to generate a private key.
# openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048
Create a CSR
In order to create a CSR with the RSA private key, type the following (output will be PEM format):
# openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr
When creating a CSR you must follow certain conventions. Enter the information to be displayed in the certificate. The following characters can not be used for the Organization Name or the Organizational Unit: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
| DN Field | Explanation | Example |
| Common Name | The fully qualified domain name for your web server. This must be an exact match. | If you intend to secure the URL https://www.yourdomain.com, then your CSR's common name must be www.yourdomain.com. If you plan on getting a wildcard certificate make sure to prefix your domain with an asterisk, example: *.domain.com. |
| Organization | The exact legal name of your organization. Do not abbreviate your organization name. | domain.com |
| Organization Unit | Section of the organization | IT |
| City or Locality | The city where your organization is legally located. | Wellesley Hills |
| State or Province | The state or province where your organization is legally located. Can not be abbreviated. | Massachusetts |
| Country | The two-letter ISO abbreviation for your country. | US |
Do not enter extra attributes at the prompt.
- Warning: Leave the challenge password blank (press enter)
Verify your CSR
# openssl req -noout -text -in ~/domain.com.ssl/domain.com.csr
Submit your CSR
From this point you have to take your CSR that you created here and submit it to a certificate authority.