Obtaining an SSL certificate is an important step in securing your website. SSL (Secure Sockets Layer) encrypts communication between a browser and web server, protecting sensitive information like login credentials and financial data.
To get an SSL certificate, you first need to generate a Certificate Signing Request (CSR). The CSR contains information about your organization and public key that is submitted to the Certificate Authority (CA) for signing. Once signed, the CA sends you the SSL certificate containing your public key and digital signature proving the certificate’s authenticity.
In this guide, we will show you how to easily generate a CSR on Linux to request an SSL certificate.
Prerequisites
Before generating the CSR, make sure you have the following:
- Access to your Linux server with root or sudo privileges. This allows you to install any required packages.
- Ownership of an active domain name. This will be specified in the CSR and SSL certificate.
- Decide which certificate type you need. Common options include single domain, wildcard, or multiple domain certificates.
The steps below use the OpenSSL toolkit which comes pre-installed on most Linux distributions.
Step 1 – Create the OpenSSL Configuration File
To generate the CSR, we first need to create an OpenSSL configuration file. This contains information like your organization details, SSL certificate domains, and encryption algorithms.
Create a new file named mydomain.cnf and insert the following contents. Update the placeholder values:
[req]
default_bits = 2048
default_keyfile = domain.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (eg, city)
localityName_default = New York City
organizationName = Organization Name (eg, company)
organizationName_default = My Company Inc.
commonName = Fully Qualified Domain Name
commonName_default = mydomain.com
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = mydomain.com
DNS.2 = www.mydomain.com
Key Points:
- default_keyfile – Sets the name for your generated private key file
- countryName – Your 2 letter country code
- stateOrProvinceName – The state/region your organization is located
- localityName – The city where your organization is located
- organizationName – Your registered company name
- commonName – Your primary domain name protected by SSL
- subjectAltName – Any additional domain names to protect
Adjust the above values as per your requirements. Save the file.
Step 2 – Generate the Private Key
The private key is an important cryptographic component in public key encryption. The key pair consists of your private key that is kept secret, and the public key contained in the CSR and certificate.
Use the following OpenSSL command to generate a new 2048 bit private key saved as domain.key:
openssl genrsa -out domain.key 2048
Add security by protecting the key file permissions:
chmod 400 domain.key
Step 3 – Generate the CSR (Certificate Signing Request)
With the configuration file and private key ready, we can now generate the CSR.
Run the following openssl command, replacing mydomain.cnf with your config file name:
openssl req -new -sha256 -out mydomain.csr -config mydomain.cnf
You will be prompted to enter a passphrase to protect the CSR private key.
The CSR content is then outputted to mydomain.csr
Step 4 – Verify the CSR Details
Before submitting your CSR, let’s confirm it contains the correct information.
View the CSR:
openssl req -text -noout -in mydomain.csr
Check that the organization, domain names, public key, and signature match what you expect.
The CSR is ready to be sent to your SSL certificate provider!
Step 5 – Submit the CSR to your Certificate Authority
The CSR can now be submitted to a trusted Certificate Authority (CA) like Comodo, DigiCert, or GlobalSign who will verify and sign your certificate request.
The process varies between CAs but usually involves:
- Pasting the contents of your CSR into their CSR generator form
- Providing your verified organization identity details
- Accepting their subscriber agreement
- Paying the certificate fees
Once issued, you will be able to download the signed SSL certificate containing your public key and domains.
Alternatively, if you manage your own private CA, you can sign the CSR yourself. But for public trust, a certificate from an established public CA is recommended.
Step 6 – Install the Signed SSL Certificate
After receiving the signed certificate from the CA, it needs to be installed on your Linux server.
Move the certificate file and your private key to the appropriate SSL folder:
cp domain.crt /etc/ssl/certs/domain.crt
cp domain.key /etc/ssl/private/domain.key
For Apache on RHEL/CentOS systems the path is:
/etc/pki/tls/certs
/etc/pki/tls/private
The last step is to update your web server configuration to enable HTTPS and use the new certificate and private key.
Refer to your Linux distribution’s documentation for details on configuring Apache or Nginx with the SSL certificate. Common tasks include:
- Enabling the SSL/TLS module
- Specifying the certificate and key file paths
- Adding the SSL listening port (443)
- Redirecting HTTP to HTTPS
After reloading your web server configuration, your website will now serve the new SSL certificate and be accessible over secure HTTPS connections.
Conclusion
Obtaining and installing an SSL certificate is important for securing sensitive web traffic to your Linux server. By generating a certificate signing request and having it signed by a trusted certificate authority, you can enable HTTPS and TLS encryption.
The process involves first creating a private key, generating the CSR with details of your server and organization, having it signed, and then installing the public certificate. OpenSSL streamlines CSR generation on Linux servers.
Active SSL security helps safeguard your website visitors, ensures compliance with regulations, and provides trust and confidence for return visits to your site. With this guide, you are ready to add HTTPS protection to your Linux web server using a signed SSL certificate deployed through a CSR.
