Creating a certificate signing request (generating a *.CSR
file) is like an application form for a certificate. You can specify
two categories of request:
Server certificate request
Prepares a certificate file to be signed by a trusted (root)
CA to authenticate your server. You are the subject of the certificate,
and the CA you send it to will be the certificate issuer. For example,
if you wanted to get a Thawte Server ID, you would create a certificate
request and mail the contents of this generated file to Thawte.
The file you generate is a *.CSR file.
Client certificate request
Prepares client certificate files that are loaded in the SSL
client application, such as a web browser. The client is the subject
of the certificate and you are the certificate issuer.
To create a certificate request, perform the following steps.
Enter the information required for the certificate.
You must complete all fields to create a valid certificate request.
The certificate request is generated after you respond to the last
question.
Encrypt Private Key
Using an encrypted private key forces the passphrase dialog
when loading the private key.
Do not use this option
if you are using the mod_ssl directive SSLPassPhraseDialog with
the default built-in option.
Encryption Bits
The largest recommended size is 1024 bits. Encryption strength
is often described in terms of the size of the keys used to perform
the encryption; in general, longer keys provide stronger encryption
but require more computing time. Key length is measured in bits.
Private key sizes larger than 1024 bits are incompatible with some
versions of Netscape Navigator and Microsoft Internet Explorer.
Certificate Key File
Use OpenVMS syntax (defaults to SSL$KEY:SERVER.KEY).
Certificate Request File
Use OpenVMS syntax (defaults to SSL$CSR:SERVER.CSR).
The remaining questions determine your server's distinguished
name.
Country Name
State or Province Name
City Name
Organization Name
Organization Unit Name
Common Name
Common name usage is different for client certificates than
it is for server certificates. Generally, the common name on a client
certificate is the proper name of the individual requesting a certificate.
In the case of server certificates, the common name must be the
same as your server's DNS host name (or virtual host name, if name-based
virtual hosting is used). Browsers compare the common name in the
server certificate with the host name of the server to which they
are connecting; these names must match.
Email Address
Display the Certificate
View the details of the certificate request (if
you chose to display the certificate).
Subject
Public key information
Signature algorithm
To see the encoded contents, exit the certificate tool and
enter the following command to view the CSR file.
$ TYPE SSL$ROOT:[CERTS]SERVER.CSR
What you see is exactly what is required by the certificate
authority. You might be required to send the file itself or just
the contents of the file to your CA (according to the CA's instructions).
For example:
If you are sending only the contents, copy and paste everything
and send to the CA using secure email or the appropriate enrollment
form. The CA will return a digitally signed certificate to you.
For example:
The CA-signed certificate contains the following information:
Your organization's common name (www.your-server )
Additional identifying information (IP and physical
address)
Your public key
Expiration date of the public key
Name of the CA that issued the ID
A unique serial number. (Every certificate issued
by a CA has a serial number that is unique to the certificates issued
by that CA.)
CA's digital signature
Installing Certificates
A signed certificate needs to be installed, along with the
key you generated when creating the request, by saving or copying
the respective files to their correct directories and restarting
the application.
The following example shows a certificate and key copied to
the directory of a web server.