(* for all you impatient people, here it is 2048 bit Private Key / CSR Generation )
We run some management system for all our clients / domains.
It's pretty easy to use when it comes to management tasks,
- Adding Domains
- Managing Nameservers / Hostnames
- FTP accounts
- SSL Certificates
Yeah.. SSL Certificates.
So if your going to have an Ecommerce site and accept credit card / payment data on
your site without redirection to like paypal, PCI compliance (*Payment Card Industry (PCI) Data Security Standard) requires you to have an SSL (https) enabled website so that your customers financial data is mostly more secure. So to get an SSL certificate you have a few options
- Don't
- Create a Self Signed Certificate
- Create a Certificate Request and get it signed by someone who the majority of browsers already trust
We will skip the Don't part.
We normally use Godaddy for SSL's; no real reason, I started buying domains though
them a while back and it's just easier to get all your domains, SSL Certificates in the
same place. (*Short of my .ca domains which I'm pretty
sure Godaddy still doesn't offer.)
Right Godaddy SSL certificates.
I dont remember the price; but for all you recession feeling people if you google
(*or bing?!?!) SSL certificates
godaddy is listed at the top of the page.
Ok so until recently this was an easy process hit the management software
- Enter some basic required information
- Request a self signed certificate
- Goto Godaddy
- Put in Certificate Request and submit
- Wait for email
- Add Signed Certificates, Key & Intermediary Certificate to management software & apply settings
And your done! (*doesn't look that easy huh?)
Well now godaddy requires 2048 bit Private keys and our management software does not support it.
If your SSH / console friendly or have cygwin/ openSSL you can try this
(*note collinsharper.com should probably be replaced with your domain )
openssl genrsa -out collinsharper.com.key 2048
openssl req -new -key collinsharper.com.key -out collinsharper.com.csr
cat collinsharper.com.key
cat collinsharper.com.csr
Its going to ask you a few questions
and look something like this
[openssl@collinsharper ~]# openssl genrsa -out collinsharper.com.key 2048
[openssl@collinsharper ~]# openssl req -new -key collinsharper.com.key -out collinsharper.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CA
State or Province Name (full name) [Berkshire]:BC
Locality Name (eg, city) [Newbury]:Vancouver
Organization Name (eg, company) [My Company Ltd]:Collins Harper
Organizational Unit Name (eg, section) []:Magento Development Web Sales
Common Name (eg, your name or your server's hostname) []:www.collinsharper.com
Email Address []:stopspammingme@collinsharper.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[openssl@collinsharper ~]# cat collinsharper.com.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0MXEo67NsPbR/ge/Gka+GfoTzrEEMQqgmlvZXFzvQP9n+tPW
--- data clipped ---
+rxNk1B9OrSDDgwXLUo6DQEDxhj6XW8oNeJUCmnsZAXbmq7N9V58
-----END RSA PRIVATE KEY-----
[openssl@collinsharper ~]# cat collinsharper.com.csr
-----BEGIN CERTIFICATE REQUEST-----
hPI7jFC1JXXdzu5zh5liEy/HRXDr3xvBaTPqdLk1fhkhqlVn77qTW6jLoscWXHWQ
--- data clipped ---
ehvTPwttZlVB+A==
-----END CERTIFICATE REQUEST-----
Thats not so bad just take that and follow the previous steps.
That does mean for all my clients I have to generate their certificates; I don't really like repetitive tasks.
So heres a fairly simple script.
2048 bit Private Key / CSR Generation
Generate
- A 2048 bit Private key pair
- A CSR
- Even a Self Signed Certificate
you will need to save both keys and the CSR for future use.
One last thing - take your time and read the data from your parsed Certificate, they teach nurses to read data backwards then forwards (you don't skim as well reading data backwards or so I am told), this will force you to think about the information and ensure you do not request a bad certificate then have to start over.
© 2011 Collins Harper. All Rights Reserved.