Certificate Signing and Requesting Process
In order to generate a Certificate Signing Request (CSR) you must have a private key ready to be used for the CSR generation.
This key should be at least a 2048 bit RSA key and must be encrypted using either Triple-DES or any other applicable method and must be stored in a PEM format so that it is readable as ASCII text.
Generating a private RSA key
openssl> genrsa -des3 -out server.key 2048
The above command will ask to enter a passphrase to protect this key in case it gets stolen or compromised. The passphrase should be strong enough to prevent tampering. If successful, this command will generate a file in the format “server.pem” where “server” is the name you assigned in the command. This obviously can be any other name if so you choose.
Generating a CSR (Certificate Signing Request)
Once the private key is ready, a Certificate Signing Request (CSR) can be generated. This CSR can then be sent to a Certificate Authority, such as Thawte, Verisign or in our case SECTIGO to verify the identity of the requester and issue a signed certificate. During the generation of the CSR, you will be prompted for several pieces of information such as country, state, organization, etc. These pieces will become the X.509 attributes of the certificate. The only critical piece is the common name, which needs to be set to the FQDN of the server that is going to be protected by SSL. If the website to be protected is for example https://www.mcmaster.ca, then enter “www.mcmaster.ca” at this prompt.
Use this openssl command to generate the CSR as follows:
openssl> req -new -key server.key -out server.csr
Country Name (2 letter code) [CA]:CA
State or Province Name (full name) [Ontario]:Ontario
Locality Name (eg, city) [Hamilton]: Hamilton
Organization Name (eg, company) [My Company Ltd]: McMaster University
Organizational Unit Name (eg, section) []: Media Production Services
Common Name (eg, your name or your server’s hostname) []: mps.mcmaster.ca
Email Address []: your-name@mcmaster.ca
Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
If a challenge password was issued (not left blank) this might need to be entered when the CSR is uploaded to the console.
Once the CSR generation is complete you will obtain a file named “server.csr” with the private key for this request in the file “server.pem”.
It is recommended that this key is made valid for this CSR only. You should not use this key on multiple CSRs for security reasons.
Uploading the CSR to start the certificate request process
Once you have the CSR ready, go to the SECTIGO console and select “add” to enter a new request for a certificate.
You will presented with a screen offering 3 modes of CSR upload:
- Manual creation of CSR
- Auto-generation of CSR
- Auto-generation of CSR with auto installation
Select “Manual creation of CSR” and hit the “Next” button.
In the next step you will be prompted to either copy and paste the content of your CSR file or upload the CSR file on to the field by pressing the “Upload CSR” button.
After the CSR is uploaded, you will be presented with a number of custom fields required to classify and store the certificate once generated. make the appropriate choices as follows:
- Make sure “McMaster University” is selected as the Organization
- Select your Department from the pull down list, whatever is appropriate
- Select Certificate Type as “Elite SSL Certificate” or “EV Multidomain SSL” ( the difference is explained below)
- Select the validity Term (1 or 2 years)
- Double check the common name and ensure it matches what you have indicated during the CSR generation process
- Select “Server Software”. This step is very important as the format for the issued certificate will match the appropriate selection. The selection must match or at least closely resemble the platform the certificate is going to be deployed to.
- The “Requester” field should show your name
- the “External Requester” field is to add names other than yourself that are also part of this request. This is optional
If you want to add extra common names to the certificate request, you must select the “EV Multidomain SSL” type. This option will give you the choice of adding extra common names if applicable. Otherwise, the type should remain as “Elite SSL Certificate”.
When you are done, hit the “Next” button.
The next screen will show the “auto-renewal” options. Check off the auto renewal box if you want this certificate to be automatically renewed at the expiration date. Also, select the number of days prior to expiry that can be used to calculate the exact time of renewal for the certificate.
When you are ready, hit the “Next” button.
Finally, accept the EULA terms and conditions to complete the request process. This will put the certificate in the queue awaiting for approval.
Certificate Deployment
After the certificate is approved and issued, you will receive an email indicating that the SSL certificate is ready to be collected. The email should contain links to retrieve the certificate in the format that is applicable to your server. Once you retrieve the certificate file, you will need to upload it on to your web server along with the private key that was used to generate it.
Please note that the private key that is going to be uploaded to the server must be devoid of the protection password that was initially used to generate the key and obtain the CSR. This is an important point, as uploading the private key with the protection passphrase in place, will prompt the web server to enter that passphrase every time the certificate must be loaded for use.
To remove the password from the private key file prior to uploading it to the server, use the following OpenSSL command:
openssl> rsa -in [file1.key] -out [file2.key]
After the command is entered, you will be prompted for the passphrase that was used to generate [file1.key]. Once the command is completed you will get [file2.key] which is now the unprotected private key. This file is the one that should be uploaded to the server along with the corresponding, new SSL certificate.
Be aware that having an unencrypted private key adds a security risk by making it easier to compromise your SSL encryption scheme if your unprotected private key file is stolen. Once uploaded to the server, any other copies of the key must not be left lying around and security measures must be taken to protect the original key file storing it in a safe place, ideally on a key vault system or service.
Once the SSL certificate is in place along with the key, you can then proceed to reference to it from your server environment for it to become active.