Generate a Certificate Signing Request (CSR)

Apache + ApacheSSL

Follow these instructions to generate a CSR for your Web site. When you have completed this process, click the "close" button below to close this window and continue to the next step. OpenSSL is the open source project that replaced SSLeay. If you are using SSLeay on your system instead of OpenSSL, substitute ssleay with openssl for the commands.

请按照如下步骤生成CSR文件，OpenSSL是一个替代SSLeay的开源项目，如果您正在使用SSLeay，请替换成OpenSSL。完成CSR后点击“close”关闭此页面。

1. Install OpenSSL, if not found on your server. (如果您的服务器上没有OpenSSL，请先安装。)
2. Create a RSA key for your Apache server: (为您的Apache生成RSA密钥对)

   cd /apacheserverroot/conf/ssl.key

   ssl.key is the default key directory.If you have a different path, cd to your server's private key directory.(ssl.key是缺省的密钥目录，如果您使用其他目录，请进入相应目录)

3. Type the following command to generate a private key that is file encrypted. You will be prompted for the password to access the file and also when starting your webserver: Warning: If you lose or forget the passphrase, you must purchase another certificate.
   使用如下命令产生私钥文件，系统将提示您输入私钥密码。请紧记此密码，以后会用到，如果您忘了此密码，则您的SSL证书将不能安装成功。
   

   openssl genrsa -des3 -out domainname.key 1024

You could also create a private key without file encryption (您也可以使用如下命令不加密私钥文件):

openssl genrsa -out domainname.key 1024

Note: We recommend that you name the private key using the domain name that you are purchasing the certificate for ie domainname.key.
我们建议您使用您申请SSL证书的域名来命名您的私钥文件，如：domainname.key

4. Type the following command to create a CSR with the RSA private key (output will be PEM format):
   使用如下命令生成CSR文件，此CSR文件为PEM格式：

   openssl req -new -key domainname.key -out domainname.csr

* Note: You will be prompted for your PEM passphrase if you included the "-des3" switch in step 3.
* 注意：系统会提示您输入您在第3步输入的密码。

5. When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters can not be accepted: < > ~ ! @ # $ % ^ / \ ( ) ?.,&
   当您生成CSR文件时，请注意以下规定，只能输入英文，并不能使用这些字符：< > ~ ! @ # $ % ^ / \ ( ) ?.,&

   DN Field	Explanation	Example
   Common Name 公用名称	The fully qualified domain name for your web server. This must be an exact match. 填写您的服务器的全名，必须一个字不差。	If you intend to secure the URL https://www.geotrust.com, then your CSR's common name must be www.geotrust.com.
   Organization 机构名称	The exact legal name of your organization. Do not abbreviate your organization name. 您的机构的英文名称全名，不要填写缩写。	GeoTrust
   Organization Unit 申请机构的部门名称	Section of the organization	Marketing
   City or Locality 机构所在的城市	The city where your organization is legally located.	Wellesley Hills
   State or Province 机构所在的省份或州	The state or province where your organization is legally located. Can not be abbreviated.	Massachusetts
   Country 国家	The two-letter ISO abbreviation for your country. 必须填写国家的两个字母简称,如中国就填 CN	US

6. Do not enter extra attributes at the prompt. 不要输入提示的其他项信息。

Warning: Leave the challenge password blank (press enter) 注意：要求输入challenge password 时直接回车

Note: If you would like to verify the contents of the CSR, use the following command:
如果您希望查验您的CSR文件，请输入以下命令：

openssl req -noout -text -in domainname.csr

7. Submit your CSR to GeoTrust(WoTrust) by clicking on , you will be asked to complete the agreement and the enrollment form as well.
   按照系统要求完成CSR文件，提交您的CSR给GeoTrust(WoTrust)。

Create a backup of your private key! 请一定要备份和妥善保管您的私钥文件-domainname.key，并等待我们颁发SSL证书，一旦私钥文件丢失或被新的私钥文件覆盖，则不能安装成功！

Make a copy of the private key file (domainname.key) generated in step 3 and store it in a safe place! If you lose this file, you must purchase a new certificate.

* The private key file should begin with (when using a text editor) 私钥文件格式如下：

-----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.

To view the contents of the private key, use the following command: 使用如下命令查看私钥：

openssl rsa -noout -text -in domainname.key