CSR Support

 

Apache-MOD SSL

Creating a Certificate Signing Request

  1. Install OpenSSL, if not found on server, and place in PATH.
  1. Create a RSA key for your Apache server by:

cd to /apacheserverroot/conf/ssl.key directory.(ssl.key is the  default key  directory.) If your have different setting, cd to your server’s private key directory

  1. Type the following commands to generate a key pair:

$openssl genrsa -des3 -out server.key 1024

  1. Create a backup file!

*Make a copy of the private key file (server.key) generated in step 3 and store it in a safe place!* The private key file should begin with -----BEGIN RSA PRIVATE KEY----- and end in -----END RSA PRIVATE KEY-----. To view the contents of the private key, use the following command:

$ openssl rsa -noout -text -in server.key

*Note: If you don´t want to use a PEM passphrase, leave out the "-des3" switch in step 3 and go directly to step 6.

  1. Enter and verify PEM passphrase. The passphrase will be used to install the server certificate and must be readily available.

Warning: If you lose the passphrase, you must purchase another certificate.

  1. Type the following commands to create a CSR with the server RSA private key (output will be PEM formatted):

$openssl req -new -key server.key -out server.csr

* Note: You will be prompted for your PEM passphrase if you included the     "-des3" switch in step 3.

  1. When creating a CSR you must follow these conventions.

Enter the information to be displayed in the certificate.

The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&

 

 

Distinguished Name Field

Explanation

Example

Country Name

The two-letter ISO abbreviation for your country

US = United States

State or Province Name

The state or province where your organization is located. Can not be abbreviated.

Georgia

City or Locality

The city where your organization is located.

Atlanta

Organization Name

The exact legal name of your organization. Do not abbreviate

IPS S.L.

Organizational Unit

Optional for additional organization information

Marketing

Common Name (Server Host Name)

The fully qualified domain name for your web server. You will get a certificate name check warning if this is not an exact match.

If you intend to secure the URL https://secure.yourURL.com, then your CSR's Server Hostname must be secure.yourURL.com

Server Admin.'s email address

Your email address

abc@yourURL.com

 
 
  1. Do not enter extra attributes at the prompt.

Warning: Leave the challenge password blank (press <enter>)

* Note: If you would like to verify the contents of the CSR, use the following command:

$ openssl req -noout -text -in server.csr

  1. Submit your CSR to IPSCA.  


CSR installation

 


Installing a Server Certificate using MOD_SSL/OpenSSL

  1. IPSCA will send your Certificate via e-mail. You will also require an intermediate certificate available here IPS-IPSCABUNDLE.crt. Each certificate will look something like the following: 

          -----BEGIN CERTIFICATE-----
      JIEBSDSCEXoCHQEwLQMJSoZILvoNVQECSQAwcSETMRkOAMUTBhMuVrM
      mIoAnBdNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMRwwGgYDVQ 
      QLExNQZXJzb25hIENlcnRpZmljYXRlMSQwIgYDVQQDExtPcGVuIE1hc
      mtldCBUZXN0IFNlcnZlciAxMTAwHhcNOTUwNzE5MjAyNzMwWhcNOTYw
      NTE0MjAyOTEwWjBzMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIER
      hdGEgU2VjdXJpdHksIEluYy4xHDAaBgNVBAsTE1BlcnNvbmEgQ2VydG
      lmaWNhdGUxJDAiBgNVBAMTG09wZW4gTWFya2V0IFRlc3QgU2VydmVyI
      DExMDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDU/7lrgR6vkVNX40BA
      q1poGdSmGkD1iN3sEPfSTGxNJXY58XH3JoZ4nrF7mIfvpghNi1taYim
      vhbBPNqYe4yLPAgMBAAEwDQYJKoZIhvcNAQECBQADQQBqyCpws9EaAj
      KKAefuNP+z+8NY8khckgyHN2LLpfhv+iP8m+bF66HNDUlFz8ZrVOu3W 
      QapgLPV90kIskNKXX3a 
      -----END CERTIFICATE-----
  2. Copy the server certificate, including the begin certificate and end certificate lines into a text editor such as Notepad (do not use Word or another word processing program.) Make sure that the certificate appears as formatted above. In other words, make sure that the begin certificate and end certificate lines are by themselves.

  3. Save the server certificate as a text file with a .crt file extension to your OpenSSL certs directory, usually /usr/local/ssl/certs but this may vary depending on your particular configuration.

Step two: Install the Intermediate Certificates

You will need to install the chain certificate (intermediate) in order for browsers to trust your certificate. As well as your SSL certificate ( yourdomainname.crt) two other certificates, named IPSSERVIDORES.crt and ipsCACLASEA1.crt , they are also attached to the email from ipsCA. Apache users will not require these certificates. Instead you can install the intermediate certificates using a 'bundle' method IPS-IPSCABUNDLE.crt.

In the Virtual Host settings for your site, in the httpd.conf file, you will need to add the following SSL directives.This may be achieved by:

1. Copy IPS-IPSCABUNDLE.crt to the same directory as httpd.conf (this contains all of the ca certificates in the ipsCA chain).

2. Add the following line to httpd.conf (assuming /etc/httpd/conf is the directory mentioned in 1.), if the line already exists amend it to read the following:

SSLCertificateChainFile /usr/local/ssl/private/IPS-IPSCABUNDLE.crt

If you are using a different location and certificate file names you will need to change the path and filename to reflect your server.

The SSL section of the updated httpd config file should now read similar to this example (depending on your naming and directories used):

SSLCertificateKeyFile /usr/local/ssl/certs/www.yourserver.com.key SSLCertificateFile /usr/local/ssl/private/www.yourserver.com.crt SSLCertificateChainFile /usr/local/ssl/private/IPS-IPSCABUNDLE.crt

Note: If your Apache web server version is 1.X you will have to apply this configuration

SSLCertificateKeyFile /usr/local/ssl/certs/www.yourserver.com.key SSLCertificateFile /usr/local/ssl/certs/www.yourserver.com.crt SSLCACertificateFile /etc/httpd/conf/IPS-IPSCABUNDLE.crt

Save your httpd.conf file and restart. You can most likely do so by using the apachectl script:

Stop your Apache web server and the restart it in SSL mode using the command 'apachectl startssl'. If you are prompted for a pass phrase enter the pass phrase you set when generating your private key

  return to the top

© 1996 - 2007 ipsCA, IPS Certification Authority, S.L. all Rights reserved.
Our CPS summarized or complete, CRLs, Root Certificates and legal documents
  can be found in our repository
Read our  Privacy Policy and Terms of Use