Introduction
Just a quick refresher on generating certificate signing requests.
Generate the RSA key
Create a RSA key for your Apache server, since every distro is different in where to place the certificates, we are just going to place it in an arbitrary spot:
mkdir ~/domain.com.ssl/ cd ~/domain.com.ssl/
Type the following command to generate a private key.
openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048
Create a CSR
Type the following command to create a CSR with the RSA private key (output will be PEM format):
openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr
When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters can not be used for the Organization Name or the Organizational Unit: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
DN Field Explanation Example
Common Name The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL https://www.yourdomain.com, then your CSR’s common name must be www.yourdomain.com. If you plan on getting a wildcard certificate make sure to prefix your domain with an asterisk, example: *.domain.com.
Organization The exact legal name of your organization. Do not abbreviate your organization name. domain.com
Organization Unit Section of the organization. IT
City or Locality The city where your organization is legally located. Wellesley Hills
State or Province The state or province where your organization is legally located. Can not be abbreviated. Massachusetts
Country The two-letter ISO abbreviation for your country. GB (For Great Britain – not UK)
Warning: Leave the challenge password blank (press enter)
Verify your CSR
openssl req -noout -text -in ~/domain.com.ssl/domain.com.csr
Submit your CSR.
From this point you have to take your CSR that you created here and submit it to a certificate authority. StartSSL for me. A very important one to watch for here is to make sure you include all of the alternative names the server is known as when submitting your CSR.
E.g. in my case for ip-life.net I need to request a cert for both ip-life.net and www.ip-life.net names otherwise you will waste time where the certificate presented is only valid for the www.ip-life.net version therfore rendering your certificate useless!
https://support.rackspace.com/how-to/generate-a-csr-with-openssl/
If like me you are using Sophos UTM9 as a reverse proxy, this will be helpful:
https://ip-life.net/sophos-utm9-reverse-proxy-certificates/