In order to obtain a signed Digital Certificate, you must create a Certificate Signing Request, or CSR. At the same time your CSR is created, you will also generate a Private Key. The CSR is used by the Signing Authority to create a signed Digital Certificate which works with your Private Key to provide secure access to your Web site.

There is some information that you will need to gather before generating the CSR and Private Key. This information is required as part of the CSR, and must be entered exactly as you want them to appear in your certificate.

  • Country Name - The two letter country code, such as "US"
  • State or Province Name - The full name of your state, such as "Illinois"
  • Locality Name - Name of your city
  • Organization Name - Name of your company
  • Organizational Unit Name - Optional ("Internet Services")
  • Common Name - Very important...this is your full domain name you want to use for secure access, for example www.teamITS.com, not teamITS.com.
  • E-mail Address - The contact E-mail address that you want to have the Signing Authority use when corresponding with you.
  • Challenge Password or PEM Passphrase - This is a security phrase which, like a password, ensures that only you can use your digital certificate. Be sure to use a phrase which you can easily remember but which is not easily guessed. You may need to enter the passphrase in the future to interact with your signing authority, and to install your signed certificate.
  • Extra Information - You can also enter additional company information if prompted.

Once you have all the information ready to enter, connect to you Virtual Private Server via SSH, su to root and follow these steps:

1. Create a directory to store SSL certificate files and private keys by running the commands:

# mkdir /usr/local/certs
# cd /usr/local/certs

If the directory already exists, you may ignore the error from the first command.

2. Run the following commands inside the new directory. Remember to substitute your domain name, but use the .key file extension for clarity, later.

# openssl genrsa -des3 -out example.com.key 2048
# openssl req -new -key example.com.key

You will be asked to provide the information you gathered earlier. Most of the questions are self explanatory, except that common name refers to the exact domain name that you want to use when accessing your site using SSL (ie domain.com or www.domain.com or cname.domain.com or *.domain.com).

When you have entered all the data, your CSR will be shown on the screen but not saved to a file. It is a good idea to save the CSR by copying and pasting it into a file on your local computer. You will need it when you are ordering your SSL certificate from the Signing Authority's web site. The following is an example of a CSR. Note that the CSR includes the lines with BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST.

-----BEGIN CERTIFICATE REQUEST-----
MIIB2jCCAUMCAQAwgYExCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFoMQ4wDAYD
VQQHEwVQcm92bzETMBEGA1UEChMKU3R1bmt3b3JrczEVMBMGA1UEAxMMTWFyayBT
cGVuY2VyMScwJQYJKoZIhvcNAQkBFhh3ZWJtYXN0ZXJAc3R1bmt3b3Jrcy5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKIkMHnII4uNDwgTYsBYdiiOBLTY
NOsTfXp/5sG1VXjlYhDMoLzWxBbaulx2hEufj1Sfkm65Mrd8j4nMFVIGf1sGnFCj
ClgxQ/5DJtV22jgnqQfKq7se32r9INoPWjFfjD1JC+4zry5LRiSPNImCYq2E1578
h6S6i6auD1nTDD0LAgMBAAGgGDAWBgkqhkiG9w0BCQcxCRMHZ3JvYmxpbjANBgkq
hkiG9w0BAQQFAAOBgQANwQ7wudkfkxrrZA4lXbOYeXWLngHtNdzPJ8WyzOjGof4h
jkpDPV6SJqHEszpmZljEqb6fxgeiM4cpWSFGJA1QNFz+Ra8/msrLLBMM+zPuHpER
OPFCsrIErmaBgnmymGOk/DiHvhV+LqCkAgjcS2Kpn0cOy8KRyXzUc4k+TTw0Uw==
-----END CERTIFICATE REQUEST-----

In the directory where you were when you ran the openssl command, you will also find a new file called example.com.key. This is your private key. Keep a copy of the private key as you will need it when you install your SSL certificate. We recommend running the following command to restrict read access to your key file:

# chmod o-r example.com.key

The following is an example of a private key. Note that the lines containing BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY are part of the key.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BCC23A5E16582F3D

hfWyPkea3gnVCHCZJ/zgQpCH9RZF7WjYXGYohdbfkJY0ETLwXaqjvnNHQlLomwIt
CvAzXhq8wnHur6SK21SO0ry3aSCvrBezH99miSJvtnT0HVlRJDNvaYQDbe01Z26D
hY2Yqha56Z8pvrTTolJfNL0sW4ewdws1wR4kxYDYkpusoe/Wed9Wg+i6xr9YmIjT
le9bbQlPK2D/3gJDhWW/aZHiMmLcYJtmWmf0wUMdmlibWYuq0UH1EefiLq3SLKK2
izvYpWDGHxVgtmzupvoc2E6CS3rQeRN3QQ9RqhzqdGqP8Xy/xl1LMuDRUbPY54Kp
3a4gqZCXdlxctK70XX5TdhiMsFEb5L1wA8CsnKE69nzs8MOLiz6mjtAhGB6KVKB4
dod3Wn6z20cus21SY5LxFkfq6JZrAsqSZFzETN9n2Fbel2pTp3IRWx7Q+WBTlrME
uIMgUSKszpvgzg0Tf2Kxfw6YWl5EpEGA8PeiGrM1NeT2TFtgiQBRQdAy7TQxgBlF
LOW2r5/1347ZgafacXLzpDBHnQrn/OtZijzleeoIwcgVwCOKz1oufEAN1ZTJbG6F
WYJuFtfopM5swyoUYK3JgT582ziAeu4jcPdrNHCxqcInkNG+ib3dHdy8yccWRehD
VnSX2hr1MDd2cpFFTl77Bc2/neNyUieqiHkrTOZIcD9oBSxFd0fP9QxLWEMCDWHt
N5UK1n29+TFgm/aXjZNjSIE5DSjTTBGTy2fPWtnefQaFk23ppV5VQypmZjxcWt2f
Eekjh1vEiQChKULQCXFAaxL61HvBRqe3iJwJ+niOBuGpYnjdC80oIA==
-----END RSA PRIVATE KEY-----

Once you have your CSR and Private Key, the next step is to Obtain your signed Digital Certificate.

Please note: the information on this page applies to ITS web hosting plans. It may or may not apply to other environments. If you are looking for a feature described here, or better support from your hosting provider, please consider hosting your site with ITS!

1555 N Naperville/Wheaton Road, Suite 107
Naperville, IL 60563
phone 630.420.2550
fax 630.420.2771