Certificate Signing Request (CSR)
What is CSR and what do you need it for?
If you already know the basic steps related to the certificate request and need server-specific instructions, you can go directly to Entrust's help page with the button below or choose the correct environment type from the list in the bottom of this page.
Creating a CSR
Server-specific instructions for some selected environments.
Open the right server environment from the list to get to the right help. More server-specific instructions for creating a certificate request can be found on Entrust's website, which you can access from the link below.
1. Start the F5 BIG-IP web user interface.
2. On the Main tab, click System, select File Management, and then select SSL Certificate List
3. A list of existing certificates will appear.
4. Click Create in the upper right corner of the screen.
5. In "General Properties", insert a name to the certificate. This will be used in the future to identify the certificate in the system.
6. Under "Certificate Properties", enter the following information:
- Issuer: Certificate Authority (your own CA, e.g. Entrust)
- Common name: Server's FQDN (fully-qualified domain name) (for example www.domain.com, mail.domain.com, or *.domain.com)
- Division: for example ICT
- Organization: The official, registered name of the company or organization.
- Locality, State or Province, Country: Municipality/City and country where your organization is located. The country code is e.g. "FI"
- E-mail Address: Here it can be good to use e.g. generic emails, such as admin@domain.com, postmaster@domain.com, hostmaster@domain.com tai webmaster@domain.com ("domain.com" should be replaced with the information of the domain to be searched and the email address should be a valid email address).
- Challenge Password, Confirm Password: Password for the CSR.
8. Click Finished.
9. The text of the certificate request is displayed. Copy the full text to a file or download the request file to save the CSR.
10. Click Finished.
As a result of this, you should have a CSR file, i.e. a certificate request, with which you can submit a certificate application to your certificate provider. This is a normal text file, you can copy its content to e-mail or directly to the field reserved for it in your certificate provider's system. Once your certificate is delivered, you can install it.
Please note that when making a certificate request, a Private Key corresponding to the certificate is created for the device where the above command is run, without which the certificate will not work. The certificate can therefore be installed specifically on the device where the certificate request was made. In some cases, it is possible to export both the certificate and its Private Key as a package and copy it to another device.
Generating a CSR with the OpenSSL tool
Entrust utility for generating OpenSSL command
1. Log in to the server, a terminal (Unix/Linux) or a Command Prompt (Windows).
2. Type the following command: openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
3. OpenSSL asks for the necessary information for the certificate. Mandatory information is considered to be the COUNTRY (two-character abbreviation) where the certificate will be used, the name of the organization as it is entered in the trade register, the COMMON NAME (CN), i.e. the name of the service that you want to certify, for example: www.mydomain.fi.
Country codes can be found here.
(Windows 2012 Server/IIS 8.x, English server version)
1. Käynnistä IIS Manager ja etsi "Connections panelista", palvelin jolle varmennepyyntö halutaan tehdä.
2. From the server "Home page", under the IIS section, select by double-clicking"Server Certificates".
3. "Actions menu", choose: "Create Certificate Request".
4. "Request Certificate wizard" will start and asks you to enter the following information:
- Common name: Server's FQDN (fully-qualified domain name) (for example www.domain.com, mail.domain.com, tai *.domain.com)
- Organization: The official, registered name of the company or organization
- Organizational unit: for example "ICT"
- City/locality
- State/province
- Country/region: country code (two-character abbreviation)
- Cryptographic service provider: Choose from the list "Microsoft RSA SChannel Cryptographic Provider" (unless for some reason you want to use some other encryption method).
- Bit length: Select 2048 from the list, unless for some reason you want to use another key length. This is the smallest RSA value acceptable today, although you may still see e.g. 1024 key lengths in some services. A certificate for a smaller RSA key length can no longer be issued.
6. Click "Finish"
MMC (Microsoft Management Console)/ Windows 8
Entrust's instructional video
With this example, you can test the functionality of the tool. Copy the following in its entirety:
-----BEGIN NEW CERTIFICATE REQUEST----- MIIDizCCAnMCAQAwSTELMAkGA1UEBhMCRkkxITAfBgNVBAoMGEV4YW1wbGUgT3Jn YW5pemF0aW9uIEx0ZDEXMBUGA1UEAwwOZXhhbXBsZS5jc3IuZmkwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvnHB41qHPntBiAHxA2em+uzZf3MZW+xq7 6rXMDDjosXHDfc/SEr+ZzKKUaswbP//n372uertj/Gin/nia0Z61MDuILGebN1pC gly/bkYZuUX7+3CwjR587ejUK8F5JWoOpTyTE8thbPlpf+rS7PXw49RBLbWQBhon ufJZKtAcMyVwLvZM47Z3hCh8RXRaq4je+n4gB2VCUL7pvStQAvrFLQIUWdvFl0HY tj2S1JuI9N8ZtMxxMC1frHVCvHvEeCbIcMPmvDpk4Ss3KXGh3/4HVvpfYmmI0ik8 IaeBal6awQPlD5F5zt1wkVoDnezEfCjxnP9fdstZnn03+YlZxRZRAgMBAAGggfww HAYKKwYBBAGCNw0CAzEOFgwxMC4wLjE5MDQxLjIwLgYJKoZIhvcNAQkOMSEwHzAd BgNVHQ4EFgQUEvc6rlZPpATlueIvaYvRRTwToeYwRAYJKwYBBAGCNxUUMTcwNQIB BQwPREVTS1RPUC1TMENIQzlDDBZERVNLVE9QLVMwQ0hDOUNcSGVsZW5hDAdNTUMu RVhFMGYGCisGAQQBgjcNAgIxWDBWAgEAHk4ATQBpAGMAcgBvAHMAbwBmAHQAIABT AG8AZgB0AHcAYQByAGUAIABLAGUAeQAgAFMAdABvAHIAYQBnAGUAIABQAHIAbwB2 AGkAZABlAHIDAQAwDQYJKoZIhvcNAQELBQADggEBAGJOZAvs1+b8/rbvaMDHMIIg 9Fd/HEhMJ9WB3mxxMKpAiAhv5fmQ9FCBFgudYpHZ2OAPvgjP1trbpjyvAE8AXMpy eDEjI37R9JC3Gz44aAOE6Kl7VrBPjib5x5ms2kUs90DPhSXLGP0PhHf1oX9PRZG7 ed28VIvNbIbbcPVO9MEkToK8nfmqgJR+e0cPpk9da4DDeeds3fAPi9ErunIgX8xh 2SrVjKfx/pvJTKculIqF6f9sIgZc6xYPPq2HXKPjdrIh1NQparQh0Qt0WMIbVCGa t7xNUGrU8XejlTrEseO4WyXbO2gWb/n6An/KbG3Y31AGRUuAcXnyJMtN5TOgKOQ=
-----END NEW CERTIFICATE REQUEST-----
Requesting a certificate
The organizational identity included in the certificate requires a carefully audited verification process, for which you will receive more detailed instructions from your certificate supplier. With the verifications up to date, the certificate application process is simplified as follows:
The certificate application (CSR) is made on the server, and in connection with this, a secret and a public key are formed. The public goes with the certificate request to the certifier (Entrust), who checks the legitimacy of the request. The certifier sends back an SSL/TLS certificate, which contains e.g. public key. The SSL/TLS certificate is installed on the web server and is locked with a secret key.
Note The Private Key formed during the creation of the CSR must be kept in a secure environment and must not be shared with others, not even with the certificate provider.
Instructions for creating a CSR
Server-specific instructions for selected environments
Below you will find links to server-specific CSR creation instructions for Entrust's website.
The instructions behind the links are in English.