Share Article
How to Generate a CSR for an Apache or NGINX Web Server with OpenSSL (ECC)
To generate a Certificate Signing Request (CSR) for an Apache or Nginx Webserver, perform the following steps. When you have completed this process, you will have a CSR ready to submit to Trustzone in order to be generated into a SSL Security Certificate
Generating the key pair
The utility “OpenSSL” is used to generate both Private Key (key) and Certificate Signing Request (CSR). OpenSSL is usually installed under (/usr/local/ssl). If you have a custom install, you will need to adjust these instructions appropriately.
Note: Change mydomain.com to the website you wish to create the CSR for
Browse to a folder where you like to generate your keypair. It is recommended to generate the key pair in a directory with locked down permissions. (We recommend setting the permission to 600 on the private key).
Note: If you are using OpenSSL on Windows, please navigate to your OpenSSL “bin” directory and open a command prompt.
Type the following command at the prompt in OpenSSL (type openssl in unix systems):ecparam –out www.mydomain.com.key -name prime256v1 -genkey
Note: If you wish to use a passphrase with your private key you can include “-des3” in the command. You will then be prompted for a passphrase. Please keep the passphrase in a safe location as it cannot be recovered. If the passphrase is lost, you must generate a new key pair.
A NIST P-256 ECC private key will be generated and stored in the file “www.mydomain.com.key”
Generating the CSR
Type the following command at the prompt in OpenSSL:
req –new –key www.mydomain.com.key –out www.mydomain.com.csrNote: You will be prompted for the PEM Pass Phrase if you included the “-des3” command. Type it in now.
Note: There is a known issue with Apache/OpenSSL Windows-based installations. If you receive an error with the above command, please enter the following:req -new -key www.mydomain.com.key -out www.mydomain.com.csr -config openssl.cnf
Input the information for the Certificate Signing Request. This information will be displayed in the certificate:
Common Name: Must match the URL you plan to secure exactly – is usually your fully-qualified domain name (e.g. trustzone.dk or mail.trustzone.dk). Remember the www. Is important – include it if you want to secure https://www.mydomain.com & exclude it if you want to secure https://mydomain.com
Organization: The legal (officially registered) name of your organization/company include Inc., LLP., Pvt, Plc. Ltd. SARL., etc
Organizational unit: The name of your department within the organization (this is often “IT,” “Web,” or is just left blank)
City/locality: The city or town in which your organization is located
State/Province: The state in which your organization is located
Country: Click here for the official list of ISO country codes for this field
Note: Do NOT enter the following: “Email Address”; “A challenge password” or ”An optional company name”:
Please verify the CSR, to ensure all information is correct. Use the following command:req -noout -text -in www.mydomain.com.csr
The CSR will now be created and can be submitted via the website-
You are now ready to submit your CSR for the certificate you wish to install.
Jon Tittmann
Vetting/Support Team Lead & OpEx
Jon has been an integral part of TRUSTZONE for the past six years, during which he has acquired substantial expertise in the cyber security field. As the team leader for our support team, he possesses a profound understanding of the sector, enabling him to resolve even the most complex challenges within the certificate industry effectively.
Submit Your Technical Queries Here for Expert Assistance!
We will contact you as soon as possible.
Please enter your details below.
