Skip to main content




To generate a certificate signing request (CSR) and key in Apache + MOD SSL, please follow
these step-by-step instructions:

1. Install “OpenSSL”, if not found on server, and put in “PATH”.

2. Create a RSA key for your Apache server by: cd to /apacheserverroot/conf/ssl.key
directory. (ssl key is the default key directory. If you have a different setting, cd to your
server’s private key directory.)

3. Type the following commands to generate a key pair:
$openssl genrsa -des3 -out server.key 1024

4. Enter and verify the “PEM passphrase”. The passphrase will be used to install the server
Warning: If you lose the passphrase, you must purchase another certificate.

5. Type the following commands to create a CSR with the server RSA private key:
$openssl req -new -key server.key -out server.csr
(The output will be PEM formatted.)


6. When creating a CSR, you must follow these conventions.

  • Enter the “Distinguished Name Field” information.
  • Note: The following characters cannot be accepted: < > ~ ! @ # % ^ * / \ ( ) ?
Distinguished Name Field Explanation Example
Country Name The two-letter ISO abbreviation for your country. US = United States
State or Province Name The state or province where your organization is legally located. Do not abbreviate the state or province name. Utah
City or Locality The city where your organization is legally located. Salt Lake City
Company (Organization) Name The exact legal name of your organization. Do not abbreviate your organization name. IdenTrust Inc.
Department Name Section of the organization. Marketing
Server Hostname The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL,, then your CSR's Server Hostname must be www.identrust. com
Server Administrator's Email Address Your email address [email protected]


7. Do not enter extra attributes at the prompt.
Warning: Leave the challenge password blank.

8. View the details of the CSR via the command:
$ openssl req -noout -text -in server.csr

9. Send the entire certificate request to IdenTrust, including ----BEGIN CERTIFICATE


Key Pair Backup
  1. Backup this “server.key” file and remember the passphrase you had to enter at a secure location.
  2. View the details of the RSA private key via the command: $ openssl rsa -noout -text -in server.key