Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: correct path names for openssl program on rhel


  1. If you have write access to the directory, change into the directory where you will generate your key pairs, ie /usr/local/apache/conf/ssl.csr, otherwise change to any directory where you have write access and you'll have to move the public.csr file later.
  2. Run the following command:
    No Format
    /usr/bin/openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out public.csr
  3. From here OpenSSL will ask you a series of questions that you will need to answer. Make sure that this information is correct for the Organization that will be reflected by the certificate. Make sure that you type in the full state, not the abbreviation. Also make sure that your Organization Name is set to Tufts University. Example:
    No Format
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Massachusetts
    Locality Name (eg, city) []:Medford
    Organization Name (eg, company) [Internet Widgets Pty Ltd]:Tufts University
    Organizational Unit Name (eg, section) []:Enterprise Systems Administration and Infrastructure
    Common Name (eg, YOUR name) []
    Email Address []
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    The most common error people make is with the "common name". The common name is the name of the machine or service that needs the certificate. In the example above, people will go to the website, so the certificate needs to be named, even though the actual server name is
    You will notice that in the example, a Private key named private.key and a public key (CSR) named public.csr was created. Your Private Key is not Encrypted!!
  4. Make the file only readable by the administrative account (for Unix machines):
    No Format
    chmod 400 private.key
  5. (optional) To encrypt your private key, run the following command. If you're not sure whether to encrypt your private key, email
    No Format
    /usr/local/bin/openssl rsa -in private.key -des3 -out secureprivate.key
  6. You also will want to make the file only readable by the administrative account (for Unix machines): chmod 400 secureprivate.key.
    You can now remove the un-encrypted private key file from your server.
  7. You can dump the information in the CSR back into text form by running the following command:
    No Format
    /usr/local/bin/openssl req -text -noout -in public.csr
  8. You have now created the Key pair that you will use for your server. You can now submit the CSR that you created.


  1. If the certificate doesn't seem to be in PEM format, run
    No Format
    /usr/local/openssl/bin/openssl x509 -in certificate.crt -noout -text
  2. If that generates an error (using certificate.crt as the certificate file), then run:
    No Format
    /usr/local/openssl/bin/openssl pkcs7 -inform PEM -in certificate.crt -print_certs -out new-certificate.crt
  3. Then you can run the first command on new-certificate.crt, and confirm it worked.
