Before applying for a digital certificate, you must generate the certificate key file and CSR file. The CSR file is the original file of your public key certificate, which contains your server information and your organization information, and needs to be submitted to the CA certification center for review. It is recommended that you use the CSR file created by the system to avoid audit failure due to incorrect input information. If you choose to generate the CSR file manually, be sure to keep and back up your key file. The following information needs to be noted when manually generating the CSR file:
* The input Chinese information needs to use the UTF-8 encoding format, and it is necessary to specify the UTF-8 encoding format when editing the OpenSSL tool.
* The certificate service system has strict requirements on the key length of the CSR file, the key length must be 2048bit, and the key type must be RSA. If you apply for a certificate with multiple domains or wildcard subdomains, you only need to enter one domain name in the Common Name or What is your first and last name? field.
Below are the details of using different tools to generate CSR files.
Note: If you need to input Chinese information, it is recommended to use the Keytool tool to generate the CSR file.
Generate CSR file using OpenSSL tool
1. Log in to the server.
2. Install the OpenSSL tool.
3. Execute the following command to generate a CSR file.
openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout [$Key_File] -out [$OpenSSL_CSR]
* -new: Specifies to generate a new CSR file.
* -nodes: Specifies that the key file is not encrypted.
* -sha256: Specifies the digest algorithm.
* -newkey rsa:2048: Specifies the key type and length.
* [$Key_File]: Key file name.
* [$OpenSSL_CSR]: The storage path of the encrypted file.
The system displays something like the following.
4. According to the prompt returned by the system, enter the information required to generate the CSR file. Here's a description of the prompt:
* Organization Name: The company name, which can be in Chinese or English.
* Organization Unit Name: Department name, which can be in Chinese or English.
* Country Code: The country to which the applicant belongs, which can only be a two-letter country code. For example, China can only be CN.
* State or Province: State name or province name, which can be in Chinese or English.
* Locality: city name, which can be in Chinese or English.
* Common Name: The specific domain name of the website that applies for the SSL certificate.
* Email Address: You can choose not to enter.
* A challenge password: You can choose not to enter it.
5. After entering the command prompt, obtain the key file and CSR file in the current directory.
Generate CSR file using Keytool tool
1. Log in to the server.
2. Install the Keytool tool.
Note: The Keytool tool is generally included in the JDK toolkit.
3. Run the following command to generate the keystore certificate file.
keytool -genkey -alias [$Alias] -keyalg RSA -keysize 2048 -keystore [$Keytool_Path]
* -keyalg: Key type.
* -keysize: The key length is 2048bit.
* [$Alias]: Certificate alias, which can be customized.
* [$Keytool_Path]: The path to save the certificate file.
4. Enter the certificate protection password according to the prompt returned by the system.
5. According to the prompt returned by the system, enter the information required to generate the CSR file. Here's a description of the prompt:
* first and last name: The domain name of the certificate application.
* name of your organizational unit: Department name.
* name of your organization: The company name.
* name of your City or Locality: City name.
* name of your State or Province: State or province name.
* two-letter country code for this unit: The two-letter ISO country code.
6. Confirm whether the input content is correct, enter Y to indicate that it is correct.
7. Enter the key password as prompted.
8. Execute the following command to generate a CSR file.
keytool -certreq -sigalg SHA256withRSA -alias [$Alias] -keystore [$Keytool_Path] -file [$Keytool_CSR]
* sigalg: Digest algorithm.
* [$Keytool_CSR]: CSR file storage path.
9. Enter the certificate password according to the prompt to generate the CSR file.