Author name: ssl

How to Generate a CSR for F5 BIG IP (version 8 and under) The following instructions will guide you through the CSR generation process on F5 BIG-IP Loadbalancer (version 8 and under). To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request article. If you already generated the CSR and received your trusted SSL certificate, reference our SSL Installation Instructions and disregard the steps below. Log In Login to the BIG-IP device as the root user and run the following command: # /usr/local/bin/genconf Enter your company details Including the full legal entity name and physical address of operation. Do not abbreviate. Create the CSR Enter the following command: # /usr/local/bin/genkey www.yoursite.com Note: You will replace www.yoursite.com with the FQDN (fully-qualified domain name) you want to secure with the certificate such as www.google.com, secure.website.org, *.domain.net, etc. Copy the CSR text from the file Under /config/bigconfig/ssl.csr/ locate and open the newly created CSR file named after the FQDN you specified (i.e. www.yoursite.com.csr) in a text editor such as Notepad and copy all of the text including: —–BEGIN CERTIFICATE REQUEST—– And —–END CERTIFICATE REQUEST—– Note: You may have to transfer the CSR to the workstation you will use to order the certificate. Generate the order Return to the Generation Form on our website and paste the entire CSR into the blank text box and continue with completing the generation process. Upon generating your CSR, your order will enter the validation process with the issuing Certificate Authority (CA) and require the certificate requester to complete some form of validation depending on the certificate purchased. For information regarding the different levels of the validation process and how to satisfy the industry requirements, reference our validation articles. After you complete the validation process and receive the trusted SSL Certificate from the issuing Certificate Authority (CA), proceed with the next step using our SSL Installation Instructions for F5 BIG IP Loadbalancer (version 8 and under).

How to Generate a CSR for F5 BIG IP (version 9) The following instructions will guide you through the CSR generation process on F5 BIG-IP Loadbalancer (version 9). To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request article. If you already generated the CSR and received your trusted SSL certificate, reference our SSL Installation Instructions and disregard the steps below. Open the F5 BIGIP Web GUI. Under Local Traffic select SSL Certificates and then Create.   Enter General Properties Under General Properties enter a certificate friendly name which will help distinguish the CSR going forward. Enter Certificate Properties Under Certificate Properties enter the following CSR details: Issuer: Select the issuing “Certificate Authority”. Common name: The FQDN (fully-qualified domain name) you want to secure with the certificate such as www.google.com, secure.website.org, *.domain.net, etc. Division: Your department such as ‘Information Technology’ or ‘Website Security.’ Organization: The full legal name of your organization including the corporate identifier. Locality, State or Province, Country: City, state, and country where your organization is legally incorporated. Do not abbreviate. Email Address: Your email address. Change Password, Confirm Password: Your password. For Key Properties, select RSA& 2048. Click the Finished button. Copy the CSR text from the file Locate and open the newly created CSR in a text editor such as Notepad and copy all the text including: —–BEGIN CERTIFICATE REQUEST—– And —–END CERTIFICATE REQUEST—– Generate the order Return to the Generation Form on our website and paste the entire CSR into the blank text box and continue with completing the generation process. Upon generating your CSR, your order will enter the validation process with the issuing Certificate Authority (CA) and require the certificate requester to complete some form of validation depending on the certificate purchased. For information regarding the different levels of the validation process and how to satisfy the industry requirements, reference our validation articles. After you complete the validation process and receive the trusted SSL Certificate from the issuing Certificate Authority (CA), proceed with the next step using our SSL Installation Instructions for F5 BIG IP Loadbalancer (version 9).

How to Generate a CSR for cPanel 11.x The following instructions will guide you through the CSR generation process on cPanel (Paper-Lantern Theme Modern). To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request article. If you already generated the CSR and received your trusted SSL certificate, reference our SSL Installation Instructions and disregard the steps below. Log In Log in to cPanel, this can typically be accessed by going to https://domain.com:2083. Note: You may encounter error message “Your connection is not private” or something similar when attempting to visit your cPanel login page. This is caused du Enter your Username/Password and click Log in. Navigate to cPanel Home View your cPanel Home page. Note: Older versions such as X3 Theme-Classic may not look like the image above, but should still contain the same concept and category structure. Navigate to the SSL/TLS Manager Navigate to the SSL/TLS Manager page by scrolling down to the Security section and select the SSL/TLS button. Note: You can also navigate to the SSL/TLS Manager page by utilizing the Search Feature at the top right of the cPanel home page and searching “SSL”. Your SSL/TLS Manager page will allow you to manage everything related to SSL/TLS configuration for cPanel. Select Generate view, upload, or delete SSL certificate signing requests. Fill out the Request Form and click Create. Note 1: By default, cPanel will automatically generate the corresponding private key if “Generate a new 2,048 bit key” is selected as the Key option. If you already have a private key created that you wish to use, select the Key dropdown and select the appropriate option. Note 2: cPanel does not require a passphrase for your CSR, but does recommend inputting a description such as “CSR for www.google.com 9/13/2016” that helps distinguish this CSR going forward. Note 3: To avoid common mistakes when filling out your CSR details, reference our Overview of Certificate Signing Request article. Generate the order Congratulations, you have created a CSR and automatically saved it in your user directory. Click into the Encoded Certificate Signing Request text box that’s presented after generation, and copy all of the text including: —–BEGIN CERTIFICATE REQUEST—– And —–END CERTIFICATE REQUEST—– Return to the Generation Form back on our website and paste the entire CSR into the blank text box and continue with completing the generation process. Upon generating your CSR, your order will enter the validation process with the issuing Certificate Authority (CA) and require the certificate requester to complete some form of validation depending on the certificate purchased. For information regarding the different levels of the validation process and how to satisfy the industry requirements, reference our validation articles. After you complete the validation process and receive the trusted SSL Certificate from the issuing Certificate Authority (CA), proceed with the next step using our SSL Installation Instructions for cPanel (Paper-Lantern Theme Modern).

How to Generate a CSR for Citrix Secure Gateway The following instructions will guide you through the CSR generation process on Citrix Secure Gateway. To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request article. If you already generated the CSR and received your trusted SSL certificate, reference our SSL Installation Instructions and disregard the steps below. Determine what version of Microsoft IIS you are running This is where the CSR generation process will take place. Please reference the table below if you do not know what version of IIS you are running. Your Operating System IIS Version Windows Server 2003 6 Windows Vista and Windows Server 2008 7 Windows 7 and Windows Server 2008 R2 7.5 Windows 8 and Windows Server 2012 8 Source: https://support.microsoft.com/en-us/kb/224609 Select IIS CSR Generation Instructions Upon determining what version of IIS you are running, select the appropriate set of CSR Generation instructions below: Microsoft IIS 6.x Microsoft IIS 7.x Microsoft IIS 8.x Upon generating the CSR, your order will enter the validation process with the issuing Certificate Authority (CA) and require the certificate requester to complete some form of validation depending on the certificate purchased. For information regarding the different levels of the validation process and how to satisfy the industry requirements, reference our validation articles. After you complete the validation process and receive the trusted SSL Certificate from the issuing Certificate Authority (CA), proceed with the next step using our SSL Installation Instructions for Citrix Secure Gateway.

How to Generate a CSR for Apache Web Server Using OpenSSL The following instructions will guide you through the CSR generation process on Apache OpenSSL. To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request article. If you already generated the CSR and received your trusted SSL certificate, reference our SSL Installation Instructions and disregard the steps below. Log In Log in to your server’s terminal via Secure Shell (SSH). Run CSR Generation Command Generate a private key and CSR by running the following command:Here is the plain text version to copy and paste into your terminal: openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr Note: Replace “server” with the domain name you intend to secure. Enter your Information Enter the following CSR details when prompted: Common Name:The FQDN (fully-qualified domain name) you want to secure with the certificate such as www.google.com, secure.website.org, *.domain.net, etc. Organization:The full legal name of your organization including the corporate identifier. Organization Unit (OU): Your department such as ‘Information Technology’ or ‘Website Security.’ City or Locality: The locality or city where your organization is legally incorporated. Do not abbreviate. State or Province: The state or province where your organization is legally incorporated. Do not abbreviate. Country:The official two-letter country code (i.e. US, CH) where your organization is legally incorporated. Note: You are not required to enter a password or passphrase. This optional field is for applying additional security to your key pair. Copy the CSR text from the file Locate and open the newly created CSR in a text editor such as Notepad and copy all the text including: —–BEGIN CERTIFICATE REQUEST—– And —–END CERTIFICATE REQUEST—– Note 1: Your CSR should be saved in the same user directory that you SSH into unless otherwise specified by you. Note 2: We recommend saving or backing up your newly generate “.key” file as this will be required later during the installation process. Generate the order Return to the Generation Form on our website and paste the entire CSR into the blank text box and continue with completing the generation process. Upon generating your CSR, your order will enter the validation process with the issuing Certificate Authority (CA) and require the certificate requester to complete some form of validation depending on the certificate purchased. For information regarding the different levels of the validation process and how to satisfy the industry requirements, reference our validation articles. After you complete the validation process and receive the trusted SSL Certificate from the issuing Certificate Authority (CA), proceed with the next step using our SSL Installation Instructions for Apache OpenSSL.

How to Generate a CSR for Amazon EC2 (AWS) To learn more about CSRs and the importance of your private key, reference our Certificate Signing Request (CSR) Overview article. If you already generated the CSR and received your trusted SSL certificate and need help with installation, reference our Amazon EC2 server SSL Installation Instructions. To create a CSR on your Amazon EC2 server, you will use OpenSSL commands within your EC2 instance. Connect to your EC2 Instance For instructions on how to connect to your instance, check Amazon’s guide here. Once connected, navigate to your server’s private key store via /etc/pki/tls/private/. Generate New Private Key To create a new 2048-bit RSA private key, run the following command: [ec2-user ~]$ sudo openssl genrsa -out custom.key Create the CSR from the key After generating the private key, run the following command to create the CSR: [ec2-user ~]$ sudo openssl req -new -key custom.key -out csr.pem OpenSSL will then open a new window for filling out the certificate request. The following fields are required: Country: 2-letter ISO abbreviation for your country. State/Province: The name of the state, province, or region within your country where your organization is located. Do not abbreviate this name. Locality: The city or locality where you are located. Organization Name: The full legal name of your organization. (For non-organization certificates, you can fill this field with any relevant info, such as your domain name, or N/A) Common Name: The domain name or public IP address to be secured by the SSL certificate, i.e. domain.com. For a single-domain wildcard SSL certificate, the domain should be formatted like *.domain.com. The organization unit and email address fields are typically not required in your CSR. CSR Challenge Phrase OpenSSL may prompt you to set a challenge phrase or password on the CSR. We do not recommend setting a challenge phrase. Check the CSR Output The CSR will finally be generated as a .pem type file, which can be opened in a text editor like Notepad. You can open this file and copy and paste the full code, including the —–BEGIN CERTIFICATE REQUEST—– header and —–END CERTIFICATE REQUEST—– footer, into your SSL order generation form. Validation and Installation After you have received your CSR, and have enrolled your order, your certificate will enter the validation process with the issuing Certificate Authority (CA) and require the certificate requester to complete some form of validation. For information regarding the different levels of the validation process and how to satisfy the industry requirements, reference our validation articles. After you complete the validation process and receive the trusted SSL Certificate from the issuing Certificate Authority (CA), proceed to the next step using our SSL Installation Instructions for Amazon EC2 (AWS).

Certificate Signing Request (CSR) Overview Before you can generate your SSL Certificate, the certificate requester must create a Certificate Signing Request (CSR) for a domain name or hostname on your web server. The CSR is a standardized way to send the issuing Certificate Authority (CA) your public key, which is paired with a secret private key on the server, and provides relevant information about the requester as indicated below: Common Name (CN): This is the Fully Qualified Domain Name (FQDN) of your server (i.e. www.google.com). This must match exactly what you type in your web browser or you may receive a security error. Organization Name (O): The legal name of your company/organization (i.e. Google, Inc.). Do not abbreviate your company name and it should include the corporate identifier such as Inc., Corp, or LLC (if applicable). For DV orders, you can use your personal name (i.e. John Doe). Organization Unit (OU): The unit or division of the company/organization managing the certificate (i.e. IT Department). Locality (L): The city that you are located in (i.e. Mountain View) State or Province Name (ST): The state or province in which you are located in (i.e. California) Country (C): The country in which you are located in (i.e. United States or US) Email Address: An email address associated with the company (i.e. webmaster@google.com) Root Length: The bit-length of the key pair determines the strength of the key and how easily it can be cracked using brute force methods. 2048-bit key size is the new industry standard and is used to ensure security well into the foreseeable future. Signature Algorithm: Hashing algorithm are used by issuing Certificate Authorities to actually sign certificates and CRLs (Certificate Revocation List) to generate unique hash values from files. It is highly recommended that your certificate be signed with SHA-2 as this is the strongest signature algorithm adopted by the industry. As mentioned above, in addition to creating a CSR, the web server will also export another file called a private key. The private key is a unique cryptographic key related to the corresponding CSR and should never be shared with anyone outside your secured server environment. The private key is mathematically used to decrypt whatever sensitive data that’s transmitted and encrypted with its corresponding public key and vice versa. If the private key is lost or compromised, malicious users could potentially read your encrypted communications and put your organization’s reputation at risk, which defeats the entire methodology behind the Public Key Infrastructure (PKI). If the private key is lost or compromised, we highly recommend creating a new key pair and replacing or reissuing your SSL Certificate. Example CSR Most CSRs are created in the Base-64 encoded PEM format and include the “—–BEGIN CERTIFICATE REQUEST—–“and “—–END CERTIFICATE REQUEST—–“ lines as the header and footer tags of the CSR. A standard PEM format CSR will look like the following example: —–BEGIN CERTIFICATE REQUEST—– MIIDGDCCAgACAQAwgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRYwFAYDVQQKEw1Hb29nbGUsIEluYy4g MRcwFQYDVQQLEw5JVCBEZXB0YXJ0bWVudDEXMBUGA1UEAxMOd3d3Lmdvb2dsZS5j b20xIzAhBgkqhkiG9w0BCQEWFHdlYm1hc3RlckBnb29nbGUuY29tMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3NT5DBBDql5gTB4/6Zsq/C1iwO4yBD2 nThaNfO1qHKUjnFz0oua+54x97TjmHItRH5H+jPJvmzzb4TUJ274CRFhquOOMZVM dVIG9FUjogJstMqv4GtBC4C/ype0ilAcPEBjRi9bFiR/g43qPCnlRAJNo4cJko7n W7erAJsRPNiQMr5UJN9h3GuQMPw6uaI/0OWuWjSTLzEBMujHhPySgZIv1SurVXDz iFC6S6qvc9XQ1z6tkmrttdoOfDI+eT75QxysHmctgAvkZaFEoRASqcqf3iYyl9Qw mh0xuLSoR9HTvaD9DhxAIa4/1+l6D9MGb/01+lip7AjqdnTTzSBfcQIDAQABoCkw JwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG 9w0BAQsFAAOCAQEAZyMkFtElkS3vQoCPVHevrFcPgrx/Fqx0UdQdnf2RyoJ3jqiU yPo5+5BHA9kY0TuJLhgMIq0QWAbzZYNL0+J8UUcx8EvMK6DqPpKteyYFCMw6GEzu diq4RE/8Ea9UpGbw8GH1oEsUksBTwrs06OSOVgDXkJ1XY4VaRkMPflgQWGULgKYO 2P/zcFowENruGLJO7ynyUkm5idKdYzDqk7c7bqyLywOEPxSRKVyblmzqiFCOlCqp HozZ9+5TmrMPD/hO1uHVECcL08RMGXoGMajojI8CE+cmkaWLq3PZt08Sv0F/Itop O8XAZ2bYTK4HQfPm+Fud22SD+DkSwt8vN8Lu2g== —–END CERTIFICATE REQUEST—– If you create a CSR and wish to verify the accuracy of the details contained within (i.e. Common Name, Organization Name, etc.), you can easily decode the encrypted text using our CSR Decoder. This tool is commonly used to troubleshoot error messages received during the generation process. For example, if you purchase a Wildcard SSL Certificate and paste in a CSR with Common Name: www.google.com, you will receive an error message during the generation process since the Common Name does not have an asterisk “*” at the left furthest sub-domain level (i.e. *.google.com) within the Common Name field. This tool will allow you to verify the entry mistake and proceed with creating a new key pair. When making your CSR and private key, please reference our easy-to-read CSR Generation Instructions