首页>技术支持>SSL证书请求文件(CSR)生成指南 - Raven SSL

SSL证书请求文件(CSR)生成指南 - Raven SSL

重要注意事项 An Important Note Before You Start

在生成CSR文件时同时生成您的私钥,如果您丢了私钥或忘了私钥密码,则颁发证书给您后不能安装成功!您必须重新生成私钥和CSR文件,免费重新颁发新的证书。为了避免此情况的发生,请在生成CSR后一定要备份私钥文件和记住私钥密码,最好是在收到证书之前不要再动服务器。

By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key.

These instructions were provided by Covalent, and at this stage Covalent will provide all technical support for Raven SSL.

Please make sure that you are especially careful to backup the private key once it has been generated. Your certificate will not work without that private key.

For users of Raven 1.2, the certificate generation process is

invoked with the following command typed at a shell prompt.

# ./ravenctl -cert

The process first prompts for the name of the certificate.

Please enter the server name you wish to generate for.

# ./ravenctl -cert

Name of the server you are issuing certificate for? -->

example.covalent.net

######################################################################

The key name chosen is example.covalent.net.key.

The certificate name is example.covalent.net.cert.

The key/certificate pairs will be stored in /usr/local/ssl.

######################################################################

You are about to generate a new key and key request. The key request

will be sent to the email address of your choice and the keyfile will

reside in /usr/local/ssl/private/example.covalent.net.key.

Choose the size of your key. Smaller key sizes provide faster server

response but will provide diminished security. Keys sizes less than

512 bits are easily cracked. For high security applications you will

probably want a key sized not less than 1024 bits.

The process first prompts for the name of the certificate.

Input your choice of key size at the prompt.

# ./ravenctl -cert

Number of bits in key (384 minimum, 1024 maximum)? --> 512

Generating random data, using the truerand library developed by

Matt Blaze, Jim Reeds, and Jack Lacy at AT&T. This may take some time.

Generating 1024 bits of randomness: ................................

Generating 1024 random bits based on measuring the time interval

between your keystrokes. Please enter random text on your keyboard.

Generating the key. This may also take some time. Be patient.

The passphrase you enter here is very important. Do not lose it.

640 semi-random bytes loaded

Generating RSA private key ,512 bit long modulus

...+++++

....+++++

e is 65537 (0x10001)

Choose a pass phrase that is secure. Don't forget this password.

Enter PEM pass phrase: ...................

Verifying password - Enter PEM pass phrase: ...................

Key successfully generated.

You must respond below with "Y" to generate a signing request.

# ./ravenctl -cert

Would you like to send a Certificate Request to a CA? [Y/n]: --> y

A Thawte CSR does *not* require the following options. Answer "N".

Does your CA need the ASN1-Kludge? (VeriSign) [y/N]: --> n

Generating certificate request.

This process will also create a temporary certificate for testing until you receive the certificate from your CA. Please enter the following information:

Using configuration from /usr/local/ssl/lib/ssleay.cnf

The pass phrase entered here is the phrase that you chose above.

Enter PEM pass phrase: ...................

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]: US

State or Province Name (full name) [State]: Nebraska

Locality Name (eg, city) [City]: Lincoln

Organization Name (eg, company) [Organization]: Covalent Technologies,Inc.

Organizational Unit Name (eg, section) [Division]: Secure Services

It is important that your Common Name matches the name that the server will identify itself as when serving requests. Enter that server name below. For example, if you will be pointing people at https://www.bob.com/ then your server name would be www.bob.com . If your server has a real name ("adonis") and an alias ("secure" or "www") and you will be pointing people at the alias, then make sure you give the alias here, otherwise the browser will claim that the site name does not match the certificate.

It is also important that you give your State name, City name and two-letter UPPER CASE country code. The Organizational Unit field is optional.

Common Name (eg, YOUR name) [www.servername.com]: example.covalent.net

Email Address [webmaster@servername.com]: webmaster@covalent.net

Using configuration from /usr/local/ssl/lib/ssleay.cnf

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=US, ST=Nebraska, L=Lincoln, O=Covalent Tecnologies Inc.,

OU=Secure Services, CN=example.covalent.net/Email=webmaster@covalent.net

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (512 bit)

Modulus (512 bit):

00:c0:34:7e:a5:02:f7:35:8e:42:7b:ce:69:e9:31:

c0:4e:fd:d2:a7:6e:2f:ee:0b:09:84:00:b5:dc:49:

3c:36:0b:82:74:7b:c8:65:3b:c4:85:b1:f8:71:86:

78:71:39:7c:03:16:c0:2b:50:d4:f1:dd:2a:f2:ce:

f3:68:35:d7:43

Exponent: 65537 (0x10001)

Signature Algorithm: md5WithRSAEncryption

40:26:58:76:fe:a5:69:ab:fe:fd:f6:6e:0d:3b:f8:79:06:7e:

96:e3:1f:e0:44:12:c1:51:c6:58:f8:38:85:92:67:4e:99:ba:

3e:55:42:94:31:94:50:ba:96:19:4e:31:4a:d4:39:d6:91:12:

10:64:20:38:9c:df:df:ea:c8:72

Webmaster email: webmaster@covalent.net

Webmaster phone: +1.402.441.5710

Mailing the CSR to your personal email account will allow you to easily cut and paste the request into the Thawte submission form. Please enter that address below.

Send CSR via Email to? --> yourmail@covalent.net

Certificate request sent to yourmail@covalent.net .

Creating a self-signed certificate for use until your chosen CA delivers your signed certificate.

Using configuration from /usr/local/ssl/lib/ssleay.cnf

The pass phrase entered here is the phrase that you chose above.

Enter PEM pass phrase: ...................

The following questions should match the information previously provided above.

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]: US

State or Province Name (full name) [State]: Nebraska

Locality Name (eg, city) []:Lincoln

Organization Name (eg, company) [Organization]: Covalent Technologies Inc.

Organizational Unit Name (eg, section) [Division]: Secure Services

Common Name (eg, YOUR name) [www.servername.com]: example.covalent.net

Email Address [webmaster@servername.com]: webmaster@covalent.net

Key and certificate have been successfully installed.

CSR generation process is complete. Check your email to obtain the CSR. Cut and paste this request into the Thawte request forms.

Again, please backup the contents of /usr/local/ssl/private so that you are sure you have backup copies of your private key.

测试CSR和把CSR发给WoSign, Start the certificate request process

生成CSR后,建议您自己测试一下生成的CSR文件是否正确,请点击 这里 测试您的CSR文件。请把测试成功的CSR文件发给WoSign即可。请一定不要再动您的服务器,等待证书的颁发。

To submit the CSR to WoSign for processing you should start the certificate enrollment process.