Saturday, March 6, 2021

Request a certificate to your website ( Certificate Signing Request / CSR )


    CSR ( Certificate Signing Request ) is the first step towards obtaining SSL certificate to your web site.
    Once you created your CSR, then you have to keep your private key securely in your side.
    Then order the SSL certificate by submitting your CSR file to the preferred Certificate Authority.
    Certificate Authority will process your request and release SSL certificate accordingly. 

    Step 1. Login to the server terminal and run bellow command, Replace mysitename with your site name
    openssl req -new -newkey rsa:2048 -nodes -keyout <mysitename>.key -out <mysitename>.csr

    Enter relevant information for below queries

    Country Name (2 letter code) [XX]:
    State or Province Name (full name) []:
    Locality Name (eg, city) [Default City]:
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:
    Email Address []:
    Please enter the following 'extra' attributes
    to be sent with your certificate request
   A challenge password []:
   An optional company name []:

   Note : Domain can be a single domain ( ), wildcard domains ( *,                  multiple domain ( ).  
              Cost of generating certificates may be changed according to domain name you provided.

    It will generate two files.

    Certificate signing request file :    <mysitename>.csr 
    Your private key file : <mysitename>.key ( Do not share private key file with any party )

    Step 2 : Validate the generated <mysitename>.csr  file via online 


   Step 3 : Submit the CSR to the selected Certificate Authority

   Examples : DigiCert SSL.
                     Symantec SSL.
                     GeoTrust SSL.
                     Thawte SSL.

    Step 4 : Login to the Certificate Authority's portal and browse your order number. Download the certificate
    Step 5 : Install your certificate in to the keystore file. Replace <mysitename> with your domain name

    keytool -import -alias <mysitename> -file <certificate file name> -keystore <mysitename>.jks

    Step 6: Configure the Keystore file in your server. 

    For tomcat : Updated connector block <Path to tomcat server>/conf/server.xml

    <Connector port="443" maxHttpHeaderSize="8192" maxThreads="100"
           minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           SSLEnabled="true" clientAuth="false"
           sslProtocol="TLS" keyAlias="server"
           keystoreFile="<path to keystore file>.jks"
           keystorePass="<keystore password>" />

   For Apache : Update VirtualHost block in <path to apache server>/sites-available/<mysitename>.conf

   <VirtualHost <my site ip>:443>
    DocumentRoot /var/www/html2
        SSLEngine on
        SSLCertificateFile <path to certificate>.crt
        SSLCertificateKeyFile <path to private key>.key
        SSLCertificateChainFile <path to certificate chain>.crt

 Step 7 : Restart your server

 Step 8 : Make sure public internet routing configured to your server via security layer

            Note : If you route your traffic via load balancer, you have to install certificate to your load balancer.

 Step 9 : Browse your web site using HTTPS protocol. 

 Step 10 : Troubleshoot any issues using server access logs