To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match. You will have to request a new SSL Certificate and may be charged.

Step 1: Create a Keystore and Private Key

Please use JDK 1.3.1 or later:

If you are running a 1.3 JVM, download JSSE 1.0.2 (or later) from http://java.sun.com/products/jsse/ . Make it either an installed extension on the system or set an environment variable JSSE_HOME that points to the directory where JSSE is installed.

1. Create a certificate keystore and private key by executing the following command:

Unix: $JAVA_HOME/bin/keytool -genkey -alias -keyalg RSA -keystore
Note: For Extended Validation certificates the key bit length must be 2048, add in the command above: -keysize 2048

This command will prompt for the following X.509 attributes of the certificate:

First and last name (Common Name (CN)): Enter the domain of your website (i.e. www.myside.org) in the “first- and lastname” field.. It looks like “www.company.com” or “company.com”.

Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.

State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California

Locality or City (L): The Locality field is the city or town name, for example: Berkeley.

Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corportation would be XYZ Corporation

Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.

Note: VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain “domain.com” will receive a warning if accessing a site named “www.domain.com” or “secure.domain.com”, because “www.domain.com” and “secure.domain.com” are different from “domain.com”.

2. Specify a password. The default value will be “changeit”.

For further information, please refer to the Tomcat Web site.

Step 2: Generate a CSR

1. The CSR is then created using the following command:

keytool -certreq -keyalg RSA -alias -file certreq.csr -keystore

2. To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).