| Web Server Management: Securing Access to Web Servers | ||
|---|---|---|
| Prev | Chapter 3. Creating keys and certificates | Next |
From the key pair, we create a "Certificate Signing Request" (CSR) to send off to our chosen CA. The CSR contains the server's public key, and the other details that are to be included in your certificate, the whole thing signed by the server's private key.
The various strange field names, "Organization Unit Name", "Common Name", etc., are an inheritance from X.500. It does not normally matter greatly what you supply for each component, though your chosen CA may decline to sign your certificate if what you supply is wrong or not what they expect. However the component called "Common name" must match exactly the host name of your server, otherwise browsers will complain. For a host with several names (www.department.cam.ac.uk/nymph.department.cam.ac.uk) this should be whatever is going to appear in the URLs actually used to access the secure server.
$ openssl req -new -key WWW.key -out WWW.csr Enter pass phrase for WWW.key: password You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:England Locality Name (eg, city) []:Cambridge Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Cambridge Organizational Unit Name (eg, section) []:Computing Service Common Name (eg, your name or your server's hostname) []:clt1.csi.cam.ac.uk Email Address []:jw35@cam.ac.uk Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Arguments used
-newused when creating a new CSR, rather than processing an existing one
-keythe name of the file containing the key pair
-outname of the file to receive the CSR