To generate your CSR, you will need to log into your server and use the OpenSSL software to generate a CSR and private key. Log into your server and enter the following command: openssl req -nodes -newkey rsa:2048 -sha1 -keyout myser.key -out server.csr; This will generate two files: CSR called server.csr; 2048-bit private key called.

Solution

Apache Shiro

1. Follow these instructions to generate a Private Key and CSR. Tip: The 2048 in the command above is the key bit length. GeoTrust recommends a key bit length of 2048. Using the java keytool command line utility, the first thing you need to do is create a keystore and generate the key pair.
2. A public/private key pair has now been created. The private key (dbappweb.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (dbappweb.csr), will be submitted for certificate enrollment. Backup the private key.

Watch Thawte’s Tutorial Videos for a more visual experience!

Note: If you are unable to view the video, please click here to go directly to the video source.

To generate the CSR and private key in Apache modSSL, follow the instructions below:

The utility 'openssl' is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to adjust these instructions appropriately.

First you have to know the Fully Qualified Domain Name (FQDN) of the website for which you want to request a certificate. When you want to access your website through https://www.yourdomain-example.com then the FQDN of your website is www.yourdomain-example.com; therefore, your common name will be www.yourdomain-example.com.

Generate the Key with the following command:

NOTE:A key length of 1024 bit is the default, but Thawte recommends the use of a 2048 bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048 bit key length will need to be selected.

$ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048

This command will generate 2048 bit RSA Private Key and stores it in the file www.yourdomain-example.com.key.
It will ask you for a pass phrase: use something secure and remember it. Your certificate will be useless without the key. If you don't want to protect your key with a pass phrase (only if you absolutely trust that server machine, and you make sure the permissions are carefully set so only you can read that key) you can leave out the -des3 option above. Also leave out -des3 option if you are running Apache on Windows as it does not work on Windows.

Backup your www.yourdomain-example.com.key file and make a note of the pass phrase. A good choice is to backup this information onto a diskette or other removeable media.

Note: If you are attempting to request an Extended Validation certificate, ensure that 2048 is selected as your key-bit length.

You will now have a RSA Private Key in www.yourdomain-example.com.key and a Certificate Signing Request in www.yourdomain-example.com.csr.
The file www.yourdomain-example.com.key is your secret key, and must be installed as per the instructions that will come when your certificate is issued. The file www.yourdomain-example.com.csr is your CSR, and the important bit looks something like this:

-----BEGIN CERTIFICATE REQUEST-----
Code
-----END CERTIFICATE REQUEST-----

The CSR in www.yourdomain-example.com.csr is what you now paste into the appropriate online order form.

Please take a note of the format above.

Please Note: Generating the private key with the passphrase will mean that the same passphrase will need to be entered after restarting the server.

In order to allow your mod_ssl-secured Apache server work with our certificates we recommend you to use the latest versions of Apache, mod_ssl and OpenSSL.
The distribution tarballs can be found at the following locations:

http://www.apache.org/dist/
http://www.modssl.org/source/
http://www.openssl.org/source/

Detailed installation instructions can be found in the INSTALL files in all three packages.

How To Generate Csr

The utility (openssl) that you use to generate the RSA Private Key (Key) and the Certificate Signing Request (CSR) comes with Openssl and is usually installed under the directory SSL_BASE/bin where SSL_BASE is the path you specified for building Apache+mod_ssl either with the
--with-openssl option or the SSL_BASE variable.

Use Java's Keytool to create a CSR and install your SSL/TLS certificate on your Tomcat (or other Java-based) server

Use these instructions to generate your certificate signing request (CSR) and install your SSL/TLS certificate on your Tomcat server using Java’s Keytool.

Restart Note: After you've installed your SSL/TLS certificate and configured the server to use it, you must restart the Tomcat service.

1. To create your certificate signing request (CSR), see Tomcat Server: Create Your CSR with Java Keytool.

2. To install your SSL certificate, see Tomcat Server: Install and Configure Your SSL/TLS Certificate.

To view these instructions in Spanish, see CSR para Tomcat and Tomcat Instalar Certificado SSL.

If you are looking for a simpler way to create CSRs, and install and manage your SSL/TLS certificates, we recommend using the DigiCert^® Certificate Utility for Windows. You can use the DigiCert Utility to generate your CSR and prepare your SSL/TLS certificate file for installation on your Tomcat server. See Tomcat: Create CSR & Install SSL/TLS Certificate with the DigiCert Utility.

I. Tomcat Server: Create Your CSR with Java’s Keytool

Use the instructions in this section to create a new keystore (.jks) file and to generate your CSR.

Recommended Method: Use the DigiCert Java Keytool CSR Wizard

Save yourself some time: Use the DigiCert Java Keytool CSR Wizard to generate a Keytool command to create your Tomcat keystore and CSR.

1. Simply fill out the form, click Generate, and then paste your customized Java Keytool command into your terminal.

2. The Java keytool utility creates both your private key and your certificate signing request, and saves them to two files: your_common_name.jks, and your_common_name.csr.

3. You can then copy the contents of the CSR file and paste it into the CSR text box in our order form.

4. Skip to Step 2, part 3: Save and Back-up Your Keystore File.

Do you prefer a more manual approach to generating your Tomcat keystore and CSR? Follow the instructions below.

Step 1: Use Keytool to Create a New Keystore

Important: We recommend you generate a new keystore following the process outlined in this section. Installing a new certificate to an old keystore often ends in installation errors or the SSL/TLS certificate not working properly. Before you begin this process, backup and remove any old keystores.

1. Run Command

   1. Navigate to the directory where you plan to manage your keystore and SSL/TLS certificate.

   2. Enter the command below.

      In the command above, your_site_name should be the name of the domain you want to secure with this SSL/TLS certificate. When ordering a Wildcard certificate, do not include the asterisk (*) in the filename (e.g., your_site_name). The asterisk is not a valid keytool character.

   3. Create a Password

      1. When prompted, create a password for your Keystore.

         Note: You will specify this password in your Tomcat configuration file and then use it to generate your CSR and to import your certificate.

      2. Store this password somewhere safe, such as a trusted and secured password manager.

   4. Enter your SSL/TLS certificate information.

      Important: When prompted for the first and last name, DO NOT type your first and last name. Instead, type the Fully Qualified Domain Name (FQDN) for the site you are securing with this certificate (e.g., www.yourdomain.com, mail.yourdomain.com). Are you are ordering a Wildcard Certificate? Then your FQDN must begin with an asterisk (*). (e.g.,*.yourdomain.com).

   5. Enter your Organization information.

   6. When prompted to verify your information, type y or yes to confirm.

   7. When asked for a 'key password for <server>', press enter to use the password you just created for the keystore file.

2. Your keystore file, your_site_name.jks, is now created and in your current working directory.

Step 2: Generate a Certificate Signing Request (CSR) from your New Keystore

Apache Commons

1. Run Command

   1. In Keytool, type the following command:

      In the command above, your_site_name should be the name of the keystore file you created in Step 1: Use Keytool to Create a New Keystore or when using the DigiCert Java Keytool CSR Wizard.

   2. When prompted, enter the password you created earlier (when you created your new keystore).

   3. In your current directory, csr.txt (e.g., your_site_domain.txt) now contains your CSR.

2. Save and Back-up Your Keystore File

   1. Take note of the path to your keystore file (your_site_domain.jks) as your SSL/TLS certificate will be installed to it later.

   2. We recommend that you create a back-up copy of your Keystore file (your_site_domain.jks) before continuing. Having a back-up of the Keystore file can help resolve issues that may occur during certificate SSL/TLS installation.

3. Order Your SSL/TLS Certificate

   1. Open the .csr file you created with a text editor.

   2. Copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the DigiCert order form.

   3. Make sure that when you Select Server Software, you select Tomcat.

   Tomcat SSL/TLS Certificates, Guides, & Tutorials

   Buy NowLearn More

4. Install Certificate

   After you’ve received your SSL/TLS certificate from DigiCert, you can install it on your Tomcat server.