How to create and read a csr (Certificate Signing Request)

[olizilla]

Read info in a .csr file

openssl req -text -noout -in example.com.csr

Create a new .csr

openssl req -newkey rsa:2048 -sha256 -nodes -keyout example.com.key -out example.com.csr

You'll be prompted for company info. Make sure it's correct else the CA will complain some time later and your key will be delayed. Set the value to . for items you don't wish to provide.

Pick your country code wisely: GB is the 2 letter code for us, apparently, not UK https://www.digicert.com/ssl-certificate-country-codes.htm

Set the Common Name to be the domain you are securing. For wildcards you need to specify the subdomain as a * like: *.example.com

• The..csr is what you give to a CA to get a certificate. It contains a public key and the info you provide about the domain and registering company that the CA uses to validate your identity.
• The .key file is a private key, which validates you as the owner of the certificate. Keep it private.
• You will (eventually) receive a .crt file from the CA. This is your ssl certificate.
• Your http server needs both the .crt file and the .key file to serve files over https.

See: https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority

You may need to tweak rsa:2048 -sha256 depending on what your SSL provider supports. sha256 aka sha2 superceeds sha1. All new keys should be at least sha256.

• http://wiki.gandi.net/en/ssl/csr

[olizilla]

For example:

$ openssl req -newkey rsa:2048 -sha256 -nodes -keyout tableflip.io.key -out tableflip.io.csr 
Generating a 2048 bit RSA private key
......+++
..............................................................................................................................................................................+++
writing new private key to 'tableflip.io.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TABLEFLIP Limited
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:*.tableflip.io
Email Address []:hello@tableflip.io

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[olizilla]

On gandi, choose Apache/ModSSL as the Software Used http://wiki.gandi.net/en/ssl/faq#what_software_do_i_select_when_validating_my_ssl_certificate

When you get the crt file, you need to append the gandi intermdiate pem to the end of it:

cat GandiStandardSSLCA.pem >> cert-domain.tld.crt

and then configure nginx:

server {
    listen 443;
    server_name "domain.tld";
    root /var/www/your_website_root;

    ssl on;
    ssl_certificate     /etc/nginx/certificates/cert-domain.tld.crt;
    ssl_certificate_key /etc/nginx/certificates/domain.tld.key;
}

[alanshaw]

If you receive this error message, you're using the wrong browser. Use Chrome, not Firefox: