Generating Your CSR

In order to activate your SSL Certificate, you need to generate a CSR (Certificate Signing Request).

This is an encrypted text block that uniquely specifies who you are, and especially the domain name (and subdomain or wildcard) that you want to use for the certificate. You need to use specific software to generate a CSR, and you will need to copy and paste the resulting block into the web form to activate your request.

Here are a two popular programs for generating a CSR. You will need to specify the software used when you generate it during the certificate creation process on our website, so it's a good idea to do this all in one session so you can keep track.

Generating your CSR with Apache/ModSSL (based on OpenSSL)

The RSA key must have a minimum of 2048 bits and be a multiple of 1024.

If you use the certificate with our Simple Hosting offer, your key can only be 2048 bits.

We recommend that you add the intermediate certificate, as well as the cross-signed certificate to your server, in order to reduce the risk of web browser incompatibility.

Generating your CSR

Due to the deprecation of the SHA1 certificates, our partner, Comodo, who is a certification authority, will automatically deliver a SHA2 certificate for all certificates for which the expiration date is after 2017, whether the CSR is signed as SHA1 or not.

Certificate request

To generate a CSR (SHA-2):

openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr

This process creates two files: a public .csr file, and a private .key file that absolutely must be kept secret.

The private key is generated at the same time as your csr, and will be stored on your computer or server. Only you therefore have access to that file, which ends in ”.key”

When you run the command, it will ask you a series of questions. Here are some sample responses:

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Minnesota
Locality Name (eg, city) []: Moorhead
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Inc.
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: subdomain.example.com
Email Address []:
A challenge password []: 
An optional company name []:

The optional company name and challenge password lines are optional.

We recommend that you enter an Email Address. It is optional.

subdomain.example.com indicates the subdomain that you want to protect. This is the most important part.

If you have a single-address certificate to activate, if you create the CSR with the bare domain (e.g. example.com), the www subdomain is added automatically by the CA, for example, example.com will secure both example.com and www.example.com. The reverse is also true, if you create the CSR with the www subdomain, the bare domain will be also secure. If you have a wildcard certificate, you should put in a * for the subdomain (e.g. *.example.com). Wildcard certificates also secure the raw domain (with no subdomain).

Multidomain certificate can not be used in this way: you have to declare each domain or subdomain you want to cover. In otherwords, if you have a multidomain certificate and secure the bare domains, they will not also secure the corresponding www subdomains.

The content of the CSR file is what you need to activate your certificate. You can simply display it and copy-paste it into the validation screen. The command:

cat server.csr

will show you the block of text:

-----BEGIN CERTIFICATE REQUEST-----
...encrypted text...
-----END CERTIFICATE REQUEST-----

Make sure to copy the entire block, including the Begin and End lines.

For all CSRs that were created with OpenSSL, you will need to choose the mod Apache/ModSSL from the software list when submitting your CSR. This is often the case with open source software packages, which leverage the OpenSSL framework.

You can display the content of your KEY file using the following command :

cat myserver.key

Of course replace “myserver” by the name you gave to the file if different.

Generating your CSR on Simple Hosting

You can generate your CSR and Private Key on your Simple Hosting instance by connecting to the SSH Console.

Navigate to the /srv/data/tmp folder:

$ cd /srv/data/tmp

And then run the openssl command described above.

Generating your CSR With Microsoft IIS

In the Windows “control panel” → “administration tools”, select IIS management.

Right-click on the website in question and then select “properties”.

From the “Directory Security” tab, click on “Server certificate”, and choose “Create a new certificate”, then “Prepare the request now but send it later”.

The creation form now requests the same information as listed for OpenSSL (see above). Fill in the fields appropriately, paying close attention to the subdomain, domain, and wildcard specification as appropriate.

Indicate the file where your CSR will be saved at the end of the process. You will need to copy and paste the contents of the file during the activation of the certificate on Gandi's website.

See also

Last modified: 08/09/2016 at 09:54 by Ryan A. (Gandi)