Public key (Certificate Signing Request)

The CSR (Certificate Signing Request) is essential for the issuing of the certificate, as it contains the public key.

The public key will be generated by your web host or the administrators of the servers, on which the domain runs that you wish to secure with the SSL certificate.

Instructions on how to implement the CSR on the most popular web servers Apache and IIS are listed below.

Instructions for the installation on other servers can be found on the website of the respective certification authority. You only need to choose your platform: Thawte, Symantec (VeriSign), GeoTrust, RapidSSL.

Information for the CSR request

Apart from the public key, the CSR request also contains data about the certificate applicant. This data must correspond to the information about the applicant stated in the order. The following information must be forwarded to your webhost in order for the CSR request to be created.

For the generation of the CSR, following information is needed:

Common name: exact domain name (incl. www, if you would like to use it)
Organization: name of the applicant’s organisation (the same as stated in the order)
Organizational unit: department, purpose
City/locality: name of the city of the organisation's address
State/province: the state in which the organization resides
Country/region: country code
Key Size: 2048 Bit

 

Example:

Common name: www.test.co.uk
Organization: A & B Ltd.
Organizational unit: Internet
City/locality: London
State/province: United Kingdom
Country/region: UK
Key Size: 2048 Bit

Note: please make sure you enter the domain correctly when ordering an SSL certificate. If the domain name stated in the order includes www, you will get the version without www for free. E.g. if you order a certificate for www.zoner.co.uk, the domain zoner.co.uk will be automatically secured as well. However, this rule doesn’t work the other way round. As long as you don’t secure both versions with an SSL certificate a visitor can receive an error message, when visiting the website version without certificate. In this case an error message about an insecure connection will be displayed. For this reason it is important to use the correct spelling.

Generation of CSR for Apache and nginx

Linux servers use OpenSSL libraries when encrypting and working with keys. In those libraries you can create the CSR request for your certificate that is used by an Apache or nginx server. After successfully logging on to the server, you will create the CSR request (the public key). The certificate authority must be provided with this request. You just need to put the request into the order form at SSLmarket.
The CSR will be created in OpenSSL. In order to keep an overview of the certificates, we advise you to create a folder named ssl within the main file /etc and to use this file also for future certificates.

mkdir /etc/ssl/test.co.uk && cd /etc/ssl/test.co.uk

Now you are in the newly created file. By using the following command, OpenSSL is started and a new private key of 2048 Bits is generated.

openssl genrsa -out test.co.uk.key 2048

The private key is used to decipher the communication encrypted with the certificate and must therefore be kept secure and out of reach for unauthorised access. The access to the private key must remain solely with the owner, i.e. the web server using the key.

chmod 600 test.co.uk.key
chown www-data test.co.uk.key

The public key is generated using the following command:

openssl req -new -key test.co.uk.key -out test.co.uk.csr

You will be asked to enter the information for the key and the prospective certificate. The most important specifications are common name the name of the domain, the certificate will be used for, and Country – UK. Without these specifications, the certificate cannot be requested. If you ordered a test version or a DV certificate, these two details are sufficient. However, if you ordered a certificate, that requires validation of the applicant (OV or EV certificate), you need to fill in all the details. Their meaning is described in the article working with OpenSSL – CSR and private key. Challenge password, the information asked for in the last step, need not be filled in.

The generated CSR must be inserted into your order. Open the CSR with the Nano Editor and copy it:

root@server:/etc/ssl/test.co.uk# nano test.co.uk.csr

By using the shortcut Ctrl + X you return to the terminal and you can copy/paste the CSR into the order of the SSL certificate.

Generation of CSR for Windows Server

Windows Server uses the Web Server IIS. From version 7 to version 8.5, the generation of the CSR request is basically the same. The server will ask you for the data entered into the CSR and will then save the text file along with the certificate request.

In the text below you will find a detailed description of this process.

Log into the server as the administrator and follow following path: Start-> Administrative Tools -> Internet Information Service Manager. Now you will the see the name of the server in the left column. In the next step, click on the Server. The item Server Certificates will appear.

Now, click on Server Certificates and Create Certificate Request. A new window will pop up, in which you can enter the necessary information for the CSR.

Administration of the SSL certificates

This is how you fill out the fields correctly – see above.

The most important specifications are Common name the name of the domain, the certificate is issued for and Country – UK. Without these specifications, the certificate cannot be requested. If you ordered a test version or a DV certificate, these two details are sufficient. However, if you ordered a certificate that requires the validation of the applicant (OV or EV certificates) all details need to be specified.

When all required fields are filled out, click on Next to continue. In the next step the settings for the encryption need to be configured.

Properties of the defined domain name

The pre-set cryptographic provider Microsoft RSA SChannel need not be changed. The pre-set key length is 1024. Please select a bit length of 2048 and click on Next.

Now you can choose the name and the memory location for the CSR file. Please enter txt as a file name. Click on Finish.

file name for the certificate request

Open the CSR file with a text editor (e.g. Notepad). The text of the public key starts with „BEGIN NEW CERTIFICATE REQUEST" and ends with „END NEW CERTIFICATE REQUEST". Afterwards you can add the public key to your order.

Adding CSR to SSLmarket

Enter the generated public key into the administrative interface of the ordered SSL certificate. Copy the entire content of the text file, view the details of the order and under Information about Public Key select Enter New Key. Make sure that SHA-2 is selected.

If the Key is correct, the status in the interface will change from N/A to OK. You can check the content and the correctness of the CSR with following tool: https://certlogik.com/decoder/. As soon as the validation is complete, the certificate authority will issue your certificate and it will be sent to your e-mail address by SSLmarket.

If you have further questions, do not hesitate to contact us.