How to Create a CSR for Your Server

Before you request a TC Trust SSL Certificate or TC Extended Trust SSL you need to generate a CSR.
This Document is written for the use for multiple Webservers, please select the server you need informations for.


 

  SSL Server Types:

 

Microsoft IIS 5.0 to 7.0

If you are using IIS 7.0 please follow the next link to another website.

If you have Microsoft IIS 5.0 or 6.0 you need to follow the next steps.

  1. Select the Internet Information Services console within the Administrative Tools menu
  2. Select the computer and web site (host) that you wish to secure. Right mouse-click to select Properties
  3. Select the Directory Security tab
  4. Select Server Certificate under Secure Communications
  5. Click Next in the Welcome to the Web Server Certificate Wizard window
  6. Select Create a new certificate, Click Next
  7. Select Prepare the request now, but send it later
  8. At the Name and Security Settings screen, fill in the [friendly] name field for the new certificate. Select bit length. We recommend using 2048 bit length. For TC Extended Trust SSL it must be 2048 bit length. Click Next
  9. When creating a CSR you must follow these conventions:
    - Enter your Distinguished Name Field information
    - The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ? & , .
    (For TC Trust SSL Wildcard * is required)  

Distinguished Name Field

Explanation

Example

Common Name

The fully qualified domain name for your web server. This must be an exact match.

If you intend to secure the URL https://secure.trustcenter.de, then your CSR's common name must be secure.trustcenter.de

Organisation

The exact legal name of your organisation. Do not abbreviate your organisation name.

TC TrustCenter GmbH

Organisation Unit

Section of the organisation

Marketing

City or Locality

The city where your organization is legally located.

Hamburg

State or Province

The state or province where your organisation is located. Can not be abbreviated.

Hamburg

Country

The two-letter ISO abbreviation for your country.

DE = Deutschland


  1. Enter your Administrator contact information
  2. Enter a path and file name for the CSR
  3. Verify your request and then click Next
  4. At the Completing the Web Server screen, select Finish. DO NOT REMOVE the pending request or the .crt file will not match and your certificate will not install
  5. Select Finish
  6. Submit your CSR to TC TrustCenter by clicking on Continue. You will be asked to complete the agreement and the enrollment form as well

 

Apache

You need to have installed OpenSSL on your apache Webserver. OpenSSL is the open source project that replaced SSLeay. If you are using SSLeay on your system instead of OpenSSL, substitute ssleay with openssl for the commands. If you have not already set up a secure virtual host or would like to learn more about SSL, refer to the following link for more information: http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#installation

NOTE: The examples below use the following naming conventions: "Your Private Key" = "private.key"; "Your Web Server Certificate" = "server.crt"

  1. Create a RSA private key for your Apache server, with triple-DES encryption and PEM-formatted.
    We recommend using 2048 bit length. For TC Extended Trust SSL it must be 2048 bit length.
    openssl genrsa -des3 -out private.key 2048
    WARNING: Backup this key and its passphrase. If you lose the private key or forget its passphrase, you must purchase another certificate
  2. You could also create a private key without triple-DES encryption:
    openssl genrsa -out private.key 2048
    You can view the contents of the private key by using the following command:
    openssl rsa -noout -text -in private.key
    The private key text should begin with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
  3. Now create a Certificate Signing Request using the RSA private key created above (output will be PEM format):
    openssl req -new -key private.key -out server.csr
    NOTE: You will be prompted for your PEM passphrase if you included the "-des3" switch in step 2.

  4. When creating a CSR you must follow these conventions:
    - Enter the information to be displayed in the certificate.
    - The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ? & , . 
    (For TC Trust SSL Wildcard * is required)  

    Distinguished Name Field

    Explanation

    Example

    Common Name

    The fully qualified domain name for your web server. This must be an exact match.

    If you intend to secure the URL https://www.trustcenter.de, then your CSR's common name must be www.trustcenter.de.

    Organisation

    The exact legal name of your organisation. Do not abbreviate your organisation name.

    TC TrustCenter GmbH

    Organisation Unit

    Section of the organisation

    Marketing

    City or Locality

    The city where your organization is legally located.

    Hamburg

    State or Province

    The state or province where your organisation is located. Can not be abbreviated.

    Hamburg

    Country

    The two-letter ISO abbreviation for your country.

    DE = Deutschland

  5. You will be prompted for extra attributes (i.e., a challenge password and optional company name); we recommend you leave these attributes empty (just hit Enter)
  6. You can verify the contents of your CSR by using the following command:
    openssl req -noout -text -in server.csr
  7. Submit your CSR to TC TrustCenter - you will be asked to complete the agreement and the enrollment form as well

 

Tomcat (keytools)

Follow these instructions to generate a CSR for your website. When you have completed this process, click the "close" button below to close this window and continue to the next step.

If you are not using JDK 1.4 or higher, you must download and install "Java Secure Socket Extensions" JSSE.

  1. Generate a private key with the following command:
    keytool -genkey -alias server -keyalg RSA -keystore keystore.key
    You will be prompted for a password. Tomcat uses a default password of "changeit". If you use a different password, you will need to specify a custom password in the server.xml configuration file.
    The next field that you will be prompted for is "What is your first and last name?" At this prompt, you must specify the common name (FQDN) of your web site. You will then be prompted for your organisational unit, organisation, etc.
    WARNING: Backup this key and its passphrase. If you lose the private key or forget its passphrase, you must purchase another certificate
  2. Generate the Certificate Signing Request (CSR).
    We recommend using 2048 bit length. For TC Extended Trust SSL it must be 2048 bit length.
    keytool -certreq -alias server -keystore keystore.key -file server_req.csr
    You will not be prompted for the common name, organisation, etc. The keytool will use the values that you specify when generating the private key.
  3. Copy the Certificate Signing Request and send to TC TrustCenter. (Go through steps for purchasing a certificate and paste your certificate request in block when prompted)
    **** Be sure to include -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----
  4. Make a backup of the keystore.key key database. TC TrustCenter is not responsible if your server crashes and this file is lost.

 

BEA Oracle Weblogic

Please follow these instructions to generate a Private Key and CSR for your Webserver. Using the java keytool command line utility.

  1. First you need to create a keystore and generate your key pair. Use the following command:
    keytool -genkey -keysize 2048 -keyalg RSA -alias server -keystore keystore.key
    WARNING: Backup this key and its passphrase. If you lose the private key or forget its passphrase, you must purchase another certificate
  2. You will be prompted for a password. Tomcat uses a default password of "changeit". If you use a different password, you will need to specify a custom password in the server.xml configuration file.
    The next field that you will be prompted for is "What is your first and last name?" At this prompt, you must specify the common name (FQDN) of your web site. You will then be prompted for your organisational unit, organisation, etc.
  3. Generate the Certificate Signing Request (CSR).
    We recommend using 2048 bit length. For TC Extended Trust SSL it must be 2048 bit length.
    keytool -certreq -alias server -keystore keystore.key -file server_req.csr
    You will not be prompted for the common name, organisation, etc. The keytool will use the values that you specify when generating the private key.
  4. Copy the Certificate Signing Request and send to TC TrustCenter. (Go through steps for purchasing a certificate and paste your certificate request in block when prompted)
    **** Be sure to include -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----
  5. Make a backup of the keystore.key key database. TC TrustCenter is not responsible if your server crashes and this file is lost.

 

Netscape iPlanet 6.x

  1. Open the iPlanet Netscape administration page and login as the administrator
  2. Click on Security
  3. Select Create Database (If you have not already created the security database). If no database exists, iPlanet Web Server creates the proper key and certificate database files and stores them in the alias/ directory otherwise, iPlanet Web Server displays an error message).
  4. Type in Database Password. Confirm Password. Click OK.
    WARNING: If you lose the password, you must purchase another certificate.
    See the certificate replacement policy at the bottom of these instructions.
  5. Click on Request a Certificate
  6. Select New Certificate. We recommend using 2048 bit length. For TC Extended Trust SSL it must be 2048 bit length.
  7. Select CA Email address (In the Certificate Authority field, enter your own email address. The server mails the request to the address specified in this field.)
  8. Enter your key pair file password
  9. When creating a CSR you must follow these conventions. Type in the Distinguished Name Field information.
    The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ? & , . 
    (For TC Trust SSL Wildcard * is required)  
    Click OK when finished
  10. Enter Certificate Request Information:
     

    What you see

    What you should type

    Operation

    Submit CSR

    Certificate Type

    Server

    Requester Name

    Name

    Requester Email

    Email

    Requester Phone

    Phone Number

    Requester Comments

    (Leave blank)


  11. The system will generate a CSR in PKCS #10 format which will start with -----Begin Certificate Request----- and it will end with -----End Certificate Request-----.
  12. Save this CSR into a text file. You can use Notepad to cut and paste the CSR and then save it.

Backing up your key pair file
A key-pair file contains both the public and private keys used for SSL encryption. You will use the key-pair file when you request and install a certificate. The key-pair file is stored encrypted in the following directory: server_root/alias/<serverid-hostname>-key3.db.

When you create the key, you specify a password that you later use when you request the certificate and when you start a server that is using encrypted communications.

 

IBM HTTP Server or Websphere running iKeyman

Follow these instructions to generate a CSR for your Web site. When you have completed this process, click the "close" button below to close this window and continue to the next step.

  1. Start the key manangement utility:
    - If Windows: click start button - IBM HTTP Server - Start Key Management Utility.
    - If Unix: type /usr/bin/ikeyman& from command line
  2. Select Key Database File from the main menu, select New, then CMS key database file
  3. You will be prompted for a password.
    WARNING: If you forget the password, you must purchase another certificate
  4. Enter the location and name for the key database file
  5. Select Create New Key and Certificate Request from the pull-down list in the middle of the application window
  6. Select New. We recommend using 2048 bit length. For TC Extended Trust SSL it must be 2048 bit length. 
  7. Select the stash option to save the password in a .sth file
  8. When creating a CSR you must follow these conventions:
    - Complete the following Distinguished Name Field information.
    - The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ? & , . 
    (For TC Trust SSL Wildcard * is required)  
  9. Specify the name and location for the request file (CSR)
  10. Submit your CSR to TC TrustCenter by clicking on Continue, you will be asked to complete the agreement and the enrollment form as well
     

    Distinguished Name Field

    Explanation

    Example

    Country Name

    The two-letter ISO abbreviation for your country.

    DE = Deutschland

    State or Province Name

    The state or province where your organisation is located. Can not be abbreviated.

    Hamburg

    City or Locality

    The city where your organisation is located.

    Hamburg

    Organisation Name

    The exact legal name of your organisation. Do not abbreviate.

    TC TrustCenter GmbH

    Organisational Unit

    Optional for additional organisational information.

    Marketing

    Common Name (Server Host Name)

    The fully qualified domain name for your web server. You will get a certificate name check warning if this is not an exact match.

    If you intend to secure the URL https://secure.trustcenter.de, then your CSR's server hostname must be secure.trustcenter.de

    Server Admin's email address

    Your email address

    abc@trustcenter.de


 

 

zum Anfang zum Anfang