Creating a Certificate Signing Request

Install OpenSSL, if not found on server, and place it in PATH.

Create a RSA key for your Apache server by:

cd to /apacheserverroot/conf/ssl.key directory.(ssl.key is the default key directory.) If your have different setting, cd to your server’s private key directory

Type the following commands to generate a key pair:

openssl genrsa -rand /var/log/apache-ssl/error.log:/var/log/mail.log:/var/log/kern.log:/var/log/mysql/mysql.log:/var/log/messages 1024 > yourcertificate.key

* Note: In this example some system logs have been used as seeds.

Create a backup file!

*Make a copy of the private key file (server.key) generated in step 3 and store it in a safe place!* The private key file should begin with -----BEGIN RSA PRIVATE KEY----- and end in -----END RSA PRIVATE KEY-----.

Type the following commands to create a CSR with the server RSA private key (output will be PEM formatted):

openssl req -new -key ./yourcertificate.key > yourcertificate.csr

When creating a CSR you must follow these conventions.

Enter the information to be displayed in the certificate.

The following characters are not accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&

Wildcard certificates must start with *. characters

Distinguished Name Field	Explanation	Example
Country Name	The two-letter ISO abbreviation for your country	US = United States
State or Province Name	The state or province where your organization is located. Can not be abbreviated.	Georgia
City or Locality	The city where your organization is located.	Atlanta
Organization Name	The exact legal name of your organization. Do not abbreviate	IPS S.L.
Organizational Unit	Optional for additional organization information	Marketing
Common Name (Server Host Name)	The fully qualified domain name for your web server. You will get a certificate name check warning if this is not an exact match.	If you intend to secure the URL https://secure.yourURL.com, then your CSR's Server Hostname must be secure.yourURL.com
Server Admin.'s email address	Your email address	abc@yourURL.com

Do not enter extra attributes at the prompt.

Warning: Leave the challenge password blank (press <enter>)

* Note: If you would like to verify the contents of the CSR, use the following command:

$ openssl req -noout -text -in server.csr

Submit your CSR to IPSCA.

CSR installation

Installing a Server Certificate using SSL/OpenSSL

IPSCA will send your Certificate by e-mail. You will also require an intermediate certificate available here IPS-IPSCABUNDLE.crt. Each certificate will look something like the following:
-----BEGIN CERTIFICATE----- JIEBSDSCEXoCHQEwLQMJSoZILvoNVQECSQAwcSETMRkOAMUTBhMuVrM mIoAnBdNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMRwwGgYDVQ QLExNQZXJzb25hIENlcnRpZmljYXRlMSQwIgYDVQQDExtPcGVuIE1hc mtldCBUZXN0IFNlcnZlciAxMTAwHhcNOTUwNzE5MjAyNzMwWhcNOTYw NTE0MjAyOTEwWjBzMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIER hdGEgU2VjdXJpdHksIEluYy4xHDAaBgNVBAsTE1BlcnNvbmEgQ2VydG lmaWNhdGUxJDAiBgNVBAMTG09wZW4gTWFya2V0IFRlc3QgU2VydmVyI DExMDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDU/7lrgR6vkVNX40BA q1poGdSmGkD1iN3sEPfSTGxNJXY58XH3JoZ4nrF7mIfvpghNi1taYim vhbBPNqYe4yLPAgMBAAEwDQYJKoZIhvcNAQECBQADQQBqyCpws9EaAj KKAefuNP+z+8NY8khckgyHN2LLpfhv+iP8m+bF66HNDUlFz8ZrVOu3W QapgLPV90kIskNKXX3a -----END CERTIFICATE-----

Copy the server certificate, including the lines from the beginning and the end of the certificate into a text editor such as Notepad (do not use Word or another word processor) Make sure that the certificate appears as formatted above. In other words, make sure that the lines aforementioned are included.

Save the server certificate as a text file with a .crt file extension to your OpenSSL certs directory, usually /usr/local/ssl/certs but this may vary depending on your particular configuration.

Step two: Install the Intermediate Certificates

You will need to install the chain certificate (intermediate) so that browsers can trust your certificate. As well as your SSL certificate ( yourdomainname.crt) two other certificates, named IPSSERVIDORES.crt and ipsCACLASEA1.crt , are also attached to the email from ipsCA. Apache users will not require these certificates. Instead you can install the intermediate certificates using a 'bundle' method IPS-IPSCABUNDLE.crt.

In the Virtual Host settings for your site, in the httpd.conf file, you will need to add the following SSL directives.This may be achieved by:

1. Copy IPS-IPSCABUNDLE.crt to the same directory as httpd.conf (this contains all of the ca certificates in the ipsCA chain).

2. Add the following line to httpd.conf (assuming /etc/httpd/conf is the directory mentioned in 1.), if the line already exists amend it to read the following:

SSLCertificateChainFile /etc/httpd/conf/IPS-IPSCABUNDLE.crt

If you are using a different location and certificate file names you will need to change the path and filename to reflect your server.

The SSL section of the updated httpd config file should now read similar to this example (depending on your naming and directories used):

SSLCACertificateFile /etc/ssl/private/IPS-IPSCABUNDLE.crt SSLCertificateFile /etc/ssl/certs/yourcertificate.crt SSLCertificateKeyFile /etc/ssl/private/yourcertificate.keyIPS-IPSCABUNDLE.crt

Save your httpd.conf file and restart. You can most likely do so by using the apachectl script:

Stop your Apache web server and the restart it in SSL mode using the command 'apachectl startssl'. If you are prompted for a pass phrase enter the pass phrase you set when generating your private key

Virtual Host example configuration:
*Note: You will need one IP per server.
To run more than one Certificate Authority on the Apache web server the configuration must look something like the details below. Please note the SSLCACertificateFile lines could be 2 different bundle files in case you need 2 different root authorities. If you are using certificates from one CA, the files will be the same file. Please also note the virtual host delimiter </VirtualHost> which keeps the details for each virtual host separate.

### Section 3: Virtual Hosts

<IfDefine HAVE_SSL>

## SSL Virtual Host Context

<VirtualHost 192.168.0.20:443>
DocumentRoot "/var/www/html2"
ServerName apache2.ipsca.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCertificateFile /etc/httpd/conf/apache.ssl/server.crt
SSLCertificateKeyFile /etc/httpd/conf/apache.ssl/myserver.key
SSLCACertificateFile /etc/httpd/conf/apache.ssl/FirstBundleFile.txt
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

<VirtualHost 192.168.0.21:443>
DocumentRoot "/var/www/html2"
ServerName apache2.ipsca.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCertificateFile /etc/httpd/conf/apache2.ssl/server.crt
SSLCertificateKeyFile /etc/httpd/conf/apache2.ssl/myserver.key
SSLCACertificateFile /etc/httpd/conf/apache2.ssl/SecondBundleFile.txt
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

return to the top

© 1995 - 2011 ipsCA, IPS Certification Authority, S.L. all Rights reserved.
Our CPS summarized or complete, CRLs, Root Certificates and legal documents
can be found in our repository
Read our Privacy Policy and Terms of Use

facturacion electronica

Creating a Certificate Signing Request

Explanation