CSR Generation Instruction - Raven SSL CTL Interface
An Important Note Before You Start
By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key.
The RavenCTL Management Interface
The following procedure shows the process required to generate a key file and CSR (certificate signing request) for your SSL server.
Generate the Private Key
Name of the file to store certificate/key?
[server.domain.com] --> www.domain.com
At the prompt above, enter the name of the file that you wish to store the certificate and key file in. This is typically the Common Name of the server or the Apache configured ServerName.
The key file name you have chosen is www.domain.com.key .
The certificate file name will be www.domain.com.cert .
Press [ENTER] to continue:
The prompt above indicates the file names in which you have chosen to store this certificate and key. These file names will be stored in /usr/local/raven/module/pki/keys and /usr/local/raven/module/pki/certs respectively.
Choose the size of your key. Smaller key sizes provide faster server response but will provide diminished security.
Key sizes less than 512 bits are easily cracked. For high security applications you will want a key size not less than 1024 bits.
Number of bits in key (512 minimum, 1024 maximum)? [1024] --> 512
Deciding how strong the key pair should be
At the prompt above, enter the number of bits that you want your key file to contain. More bits means that the key will be harder to crack but there will be more server overhead required to encrypt the data. Fewer bits means less overhead for the server to encrypt the data, but makes the key easier to crack. Enter values divisable by 128. ie (512, 640, 768, 896, 1024).
Generating random data, using the truerand library developed by Matt Blaze, Jim Reeds, and Jack Lacy at AT&T. This may take some time.
Generating 1024 bits of randomness: ...............................
Generating 1024 random bits based on measuring the time interval between your keystrokes. Please enter random text on your keyboard.
1024 <- remaining
The key generation process provides an internal random entropy generator. The process will create twice the number of random bits that you have chosen for you key size. After the internal random data generator completes it's process, you will be prompted to enter key strokes to create yet another random entropy pool. This process helps assure that your key is difficult to predict and thereby crack.
Generating the key. This will take some time. Be patient. The passphrase you enter here is very important. Do not lose it.
192 semi-random bytes loaded
Generating RSA private key, 512 bit long modulus
..........+++++
...+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Entering a Passphrase for the encryption of the private key
After the key is created, you will be prompted to enter a pass phrase to use to encrypt your key as it is stored on disk. It is not necessary to keep keys encrypted on disk and this adds to difficulty in automating the startup process for the server since an encrypted key will require you to enter a pass phrase during the server startup phase.
You should make note of the passphrase at this point. If you forget it you will not be able to access your private key and the certificate that corresponds to that private key will be effectively useless and you will have to buy a new one.
Backing up the Private Key
You should also make a backup of your private key as well. If you lose your private key you will not be able to use your certificate and you will have to buy a new one. Read our tough Key Loss Policy.
I'll say it again -- Backup your Private Key!
Generate the CSR and temporary self-signed certificate
Self-signing certificate for temporary internal use.
Using configuration from /usr/local/raven/module/pki/lib/certtool.conf
Enter PEM pass phrase:
Enter the pass phrase that you have chosen for this certificate in the generation process above.
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:
Enter the State or Province for the company being represented by this certificate.
Locality Name (eg, city) [Some-City]:
Enter the City for the company being represented by this certificate.
Organization Name (eg, company) [Some-Company/Organization]:
Enter the Company Name being represented by this certificate.
Organizational Unit Name (eg, section) [Secure Services Division]:
Enter the division of the company being represented by this certificate.
Common Name (eg, server name) [www.servername.com]:
Enter the Apache ServerName being represented by this certificate.
Email Address [webmaster@servername.com]:
Enter the email contact for the person representing this company.
Key and certificate have been successfully installed.
Thanks for choosing Raven. Press [ENTER] to continue:
You will then submit your CSR to the Thawte Online form.
Start the certificate request process
To submit the CSR to WoSign for processing you should start the certificate enrollment process.