| Appendix |
346
You can also visit
for a repository of all OpenSSL distribution tarballs. Aspera
recommends that you review your specific operating system's documentation for information on installing or
upgrading OpenSSL packages.
2.
Generate your Private Key and Certificate Signing Request using OpenSSL by running the following command:
$ openssl req -new -nodes -newkey rsa:2048 -keyout
my_key_name.key
-
out
my_csr_name.csr
Where
my_key_name.key
is the name of the unique key you are creating and
my_csr_name.csr
is the name of your
CSR.
3.
Enter your X.509 certificate attributes.
The command in the previous step runs and prompts you to input the certificate's X.509 attributes.
Important:
The
common name
is the fully qualified domain name of the server to be protected by SSL.
If you are generating a certificate for an organization outside of the U.S., see
english_country_names_and_code_elements
for a list of 2-letter, ISO country codes.
Generating a 1024 bit RSA private key
....................++++++
................++++++
writing new private key to 'my_key_name.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
Your_2_letter_ISO_country_code
State or Province Name (full name) [Some-
State]:
Your_State_Province_or_County
Locality Name (eg, city) []:
Your_City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Your_Company
Organizational Unit Name (eg, section) []:
Your_Department
Common Name (i.e., your server's hostname) []:
secure.yourwebsite.com
Email Address []:
You are also prompted to enter "extra" attributes, including an optional
challenge password
. Note that manually
entering a challenge password when starting the server can be problematic in some situations (for example, when
starting the server from the system boot scripts). You can skip entering a challenge password by pressing ENTER.
...
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
After finalizing the attributes, the private key and CSR are saved to your root directory.
Important:
If you make a mistake when running the OpenSSL command, you can discard the generated files and
run the command again. After successfully generating your key and Certificate Signing Request, be sure to guard
your private key, as it cannot be regenerated.
4.
Send the CSR to your signing authority.
Send your unsigned CSR to a Certificate Authority (CA). Once the CSR is signed, you have a real certificate that
can be used by Apache.