This article is focused on generating a CSR file, submitting it to a CA and using the resulting Certificate on Linux with Apache, Nginx and/or IIS on Windows. The Windows related steps continue on from the work required to get the Certificate ready for Linux. In other words, regardless of your use-case, read the entire article from top to bottom for both Windows and Linux use.
When you purchase an SSL certificate, you are required to generate a CSR (certificate signing request) that you’ll then submit to the CA (certificate authority) for them to generate a new certificate that will be provided to you. That certificate file, along with the key created when creating the CSR, will be uploaded to your web server to ultimately provide the SSL security you need.
This article demonstrates the process with the commands you’ll need to use.
We’ll start by generating the CSR and KEY files on a Linux host. Towards the end of this article, there are instructions for importing the certificate into a Windows IIS system.
On a Linux system:
mkdir ~/ssl_files cd ~/ssl_files
Create a file called “config” with the following contents:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = AU ST = SA L = Adelaide O = EXAMPLE OU = IT CN = www.example.com [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.example.com DNS.2 = example.com IP.1 = 10.1.2.3
Note: The “CN” line: This used to be where you put the machine name (FQDN) but now days you also need to put that name and any other names in the “DNS.1”, etc, lines as you can see at the bottom of the example above.
Note: The “IP.1” is optional, as are multiple “DNS.x” lines.
Now execute the following command to generate the CSR and KEY files:
openssl req -out server.csr -newkey rsa:4096 -nodes -keyout server.key -config config
At this point you have the following files in the current directory:
config server.csr server.key
Submit the contents of the “server.csr” file to your CA. Don’t share the “server.key” with anyone. The KEY file is critical to the security of the process.
The resulting certificate is almost certainly a base64 file that Apache and Nginx can understand. Both Apache and Nginx require both the certificate and key file to be specified in their configuration files. Windows is different and requires a few extra steps. For Windows, go to the next section to continue the process.
On a Windows system (IIS):
If you’re using this SSL certificate on a Windows IIS server, you’ll need to convert the certificate (that you received from the CA) to a PFX file. The process of creating a PFX file includes combining the CRT file with the KEY file. It all happens in one commend:
openssl pkcs12 -export -out server-binary.pfx -inkey server.key -in server.crt
Or if you have issues with IIS not accepting your key-password when importing, try adding the “-legacy” option, as you can see below:
openssl pkcs12 -export -legacy -out server-binary.pfx -inkey server.key -in server.crt
Note: You’ll be asked to pick a password for the above command to complete. Note the password in a safe location because you’ll need that when loading the certificate into Windows IIS.
The output from the above command results in new file called “server-binary.pfx”. This new file is a “binary” file, not a base64 file so you can’t copy/paste the contents easily to another server. If that’s a problem, convert it to base64 first.
base64 server-binary.pfx > server-base64.pfx
Now we’ve got the file in both base64 and binary format.
Tip, if you need to convert the file from base64 to binary on a Windows system, use the following command (on Windows):
certutil -decode server-base64.pfx server-binary.pfx
The Windows IIS software requires you to submit the PFX in binary format (not base64) and you enter the password you chose in the above steps.