Versions Compared

Version Old Version 16 New Version 17
Changes made by

Marvin Nachatelo

Marvin Nachatelo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. If you have write access to the directory, change into the directory where you will generate your key pairs, ie /usr/local/apache/conf/ssl.csr, otherwise change to any directory where you have write access and you'll have to move the public.csr file later.

    No Format
    >>ssh splunk.uit.tufts.edu
>>cd /home/InCommonCerts
>>sudo mkdir "certificate-name-MONTH-DAY-YEAR"
 
I.e. mkdir wildcard.hirshlibrary.tufts.edu-July-15-2015

  2. Run the following command:

    No Format
    /usr/bin/openssl req -new -newkey rsa:2048 -nodes  -sha256 -keyout private.key -out public.csr

  3. From here OpenSSL will ask you a series of questions that you will need to answer. Make sure that this information is correct for the Organization that will be reflected by the certificate. Make sure that you type in the full state, not the abbreviation. Also make sure that your Organization Name is set to Tufts University. Example:

    No Format
    Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Massachusetts
Locality Name (eg, city) []:Medford
Organization Name (eg, company) [Internet Widgets Pty Ltd]:Tufts University
Organizational Unit Name (eg, section) []:Tufts Technology Services
Common Name (eg, YOUR name) []:infoboard.tufts.edu
Email Address []:ess@tufts.edu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

    Additional Note:  If you are generating a wildcard certificate, use   "  *  "  in the common name.  I.e. *.infoboard.tufts.edu

    The most common error people make is with the "common name". The common name is the name of the machine or service that needs the certificate. In the example above, people will go to the website http://infoboard.tufts.edu, so the certificate needs to be named infoboard.tufts.edu, even though the actual server name is jasper.usg.tufts.edu.
    You will notice that in the example, a Private key named private.key and a public key (CSR) named public.csr was created. Your Private Key is not Encrypted!!

  4. Make the file only readable by the administrative account (for Unix machines):

    No Format
    chmod 400 private.key

  5. (optional) To encrypt your private key, run the following command. If you're not sure whether to encrypt your private key, email cert-admin@tufts.edu:

    No Format
    /usr/bin/openssl rsa -in private.key -des3 -out secureprivate.key
  6. You also will want to make the file only readable by the administrative account (for Unix machines): chmod 400 secureprivate.key.
    You can now remove the un-encrypted private key file from your server.

  7. You can dump the information in the CSR back into text form by running the following command:

    No Format
    /usr/bin/openssl req -text -noout -in public.csr
  8. You have now created the Key pair that you will use for your server. You can now submit the CSR that you created.

...