How to Generate a CSR for an Apache or NGINX Web Server with OpenSSL (ECC)
To generate a Certificate Signing Request (CSR) for an Apache or Nginx Webserver, perform the following steps. When you have completed this process, you will have a CSR ready to submit to Trustzone in order to be generated into a SSL Security Certificate
Generating the key pair
The utility “OpenSSL” is used to generate both Private Key (key) and Certificate Signing Request (CSR). OpenSSL is usually installed under (/usr/local/ssl). If you have a custom install, you will need to adjust these instructions appropriately.
Note: Change mydomain.com to the website you wish to create the CSR for
Browse to a folder where you like to generate your keypair. It is recommended to generate the key pair in a directory with locked down permissions. (We recommend setting the permission to 600 on the private key).
Note: If you are using OpenSSL on Windows, please navigate to your OpenSSL “bin” directory and open a command prompt.
Type the following command at the prompt in OpenSSL (type openssl in unix systems):
ecparam –out www.mydomain.com.key -name prime256v1 -genkey
Note: If you wish to use a passphrase with your private key you can include “
-des3” in the command. You will then be prompted for a passphrase. Please keep the passphrase in a safe location as it cannot be recovered. If the passphrase is lost, you must generate a new key pair.
A NIST P-256 ECC private key will be generated and stored in the file “www.mydomain.com.key”
Generating the CSR
Type the following command at the prompt in OpenSSL:
req –new –key www.mydomain.com.key –out www.mydomain.com.csr
Note: You will be prompted for the PEM Pass Phrase if you included the “
-des3” command. Type it in now.
Note: There is a known issue with Apache/OpenSSL Windows-based installations. If you receive an error with the above command, please enter the following:
req -new -key www.mydomain.com.key -out www.mydomain.com.csr -config openssl.cnf
Input the information for the Certificate Signing Request. This information will be displayed in the certificate:
Common Name: Must match the URL you plan to secure exactly – is usually your fully-qualified domain name (e.g. trustzone.dk or mail.trustzone.dk). Remember the www. Is important – include it if you want to secure https://www.mydomain.com & exclude it if you want to secure https://mydomain.com
Organization: The legal (officially registered) name of your organization/company include Inc., LLP., Pvt, Plc. Ltd. SARL., etc
Organizational unit: The name of your department within the organization (this is often “IT,” “Web,” or is just left blank)
City/locality: The city or town in which your organization is located
State/Province: The state in which your organization is located
Country: Click here for the official list of ISO country codes for this field
Note: Do NOT enter the following: “Email Address”; “A challenge password” or ”An optional company name”:
Please verify the CSR, to ensure all information is correct. Use the following command:
req -noout -text -in www.mydomain.com.csr
The CSR will now be created and can be submitted via the website-
You are now ready to submit your CSR for the certificate you wish to install.
Get in touch with us for a non-binding quote
We will contact you as soon as possible.