CSR-Stronghold Server

To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match. You will have to request a new SSL Certificate and may be charged.

The CSR needs to contain the following attributes:

- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
- Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corportation or XY and Z Corportation.
- Organizational Unit (OU): This field is the name of the department or organization unit making the request.
- Common Name (CN): The Common Name is the Host + Domain Name. It looks like “www.company.com” or “company.com”.

Note: VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain “domain.com” will receive a warning if accessing a site named “www.domain.com” or “secure.domain.com”, because “www.domain.com” and “secure.domain.com” are different from “domain.com”.

VeriSign recommends that you contact the Stronghold vendor for additional information.
Generate a Key Pair

Stronghold keys and certificates are managed through three scripts: genkey, getca and genreq. These are part of the normal Stronghold distribution. Keys and certificates are stored in the directory$SSLTOP/private/, where SSLTOP is typically /usr/local/ssl. To generate a key pair and CSR for your server:

1. Run genkey, specifying the name of the host or virtual host: genkey hostname. The genkey script displays the filenames and locations of the key file and CSR file it will generate:

Key file: /usr/local/www/sslhostname.key
CSR file: /usr/local/www/sslhostname.cert

Note: If you already have a key for your server, run genreq [servername] to generate only the CSR.
2. Press Enter. The genkey script reminds you to be sure you are not overwriting an existing key pair and certificate.
3. When prompted, enter a key size in bits. We recommend using the largest key size available: 1024 bits.
4. When prompted, enter random key strokes. Stop when the counter reaches zero and genkey beeps. This random data to create a unique public and private key pair.
5. When prompted, enter y to create the key pair and CSR.
6. Select VeriSign as your CA.
7. Enter all of the information requested and press Enter. Back up your key file and CSR on a floppy disk and store the disk in a secure location. If you lose your private key or forget the password, you will not be able to install your Secure Server ID and will need to request and purchase a new one from VeriSign.
8. You have just created a key pair and a CSR. To copy and paste the information into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
9. Go to Enrollment.

Note: For Extended Validation certificates the key bit length must be 2048.