A CSR (Certificate Signing Request) is required to apply for a X.509 certificate from an external service provider. If you would like to order your X.509 certificate directly from us, these instructions are not required.
The CSR (and private key) can be generated directly on your web server, ensuring that the private key never leaves the server’s secure environment.
OpenSSL is standard on all Nine servers. An installation is therefore not necessary.
- Log on to your server using SSH.
We recommend to change the working directory with
cd /home/www-data/.ssl/ after login. This is to avoid that the newly created key is accidentally open in a public web directory all over the world.
If the directory does not yet exist, it must first be created using
Please adjust the string “www-data” if your user login is different.
- Call the openssl program to create the prompt:
To request a wildcard certificate, fill in a * (asterisk) for the subdomain, e.g. *.example.com (instead of www.example.com).
openssl req -sha256 -newkey rsa:2048 -nodes -keyout SSL_www.example.com.key -out SSL_www.example.com.csr
This generates a private key and a corresponding certificate request. The following output now appears on your screen:
Generating a RSA private key .............................................................+++++ .................................................+++++ writing new private key to 'SSL_www.example.org.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
You will then be asked questions about the registration information.
Please do not use any umlauts or accents and avoid abbreviations unless otherwise specified.
- Enter here the 2-digit country code according to ISO 3166 (CH = Switzerland).
Country Name (2 letter code) [AU]:CH
- Enter your canton/state here.
State or Province Name (full name) [Some-State]:Zuerich
- Enter your city here.
Locality Name (eg, city) :Zuerich
- Please enter your full organisation name in long form here.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Schweizer AG
- Enter your department (if available) here. Otherwise leave the field empty and confirm with Enter.
Organizational Unit Name (eg, section) :
- Enter the exact and complete domain name to be protected by the certificate (complete hostname with WWW or *.example.com for wildcards).
Common Name (e.g. server FQDN or YOUR name) :
Important: The certificate is only valid for this entry.
- Enter the e-mail address of the person responsible here.
Email Address :firstname.lastname@example.org
- This information is optional and should be left blank, otherwise your web server may not start automatically.
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Now the files SSL_www.example.org.csr and SSL_www.example.org.key have been created, which contain the private key and the certificate request.
You can now send the CSR to your service provider, you should leave the key untouched on the web server.