首页>技术支持>SSL证书请求文件(CSR)生成指南 - Roxen

SSL证书请求文件(CSR)生成指南 - Roxen

重要注意事项 An Important Note Before You Start

在生成CSR文件时同时生成您的私钥,如果您丢了私钥或忘了私钥密码,则颁发证书给您后不能安装成功!您必须重新生成私钥和CSR文件,免费重新颁发新的证书。为了避免此情况的发生,请在生成CSR后一定要备份私钥文件和记住私钥密码,最好是在收到证书之前不要再动服务器。

By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key.

Roxen Challenger Key and CSR Generation

Versions 1.0, 1.1 and 1.1.1 of the Roxen Challenger web server use the free SSLeay library for secure web browsing. We also use the tools distributed with SSLeay for managing keys and certificates.

Instructions

First, you have to install SSLeay, version 0.6.4 or later, and make sure that the ssleay program is in your PATH. It is usually installed in /usr/local/ssl/bin.

You probably want to set your umask to 077, and perhaps also log in as root, to ensure that no one else can read any of the files created below.

To generate a new random RSA key pair, it is recommended that you first find some large relatively random files. If you are lucky, your system has a random device,

and you can create such a file (named randomness) with dd if=/dev/random of=randomness bs=500 count=1. If not, log files and current process status, compressed and encrypted with a random password will do, depending on how paranoid you are. You should destroy these files when you are done.

Then type ssleay genrsa -rand randomness 1024 >my_key.rsa . This generates your private key, which must be kept secret. Note that we do not protect it with a password, as Roxen needs to read it, and there is usually no one there to type in the password each time you start it.

The next step is to create a Certificate Signing Request (CSR). First you will have to enter the components of your distinguished name (X.509). When you are asked about your Common Name, you should enter your domain name or a wild card,

for example www.infovav.se or *.infovav.se. When you have all that information ready, type ssleay req -new -key my_key.rsa >my_csr.csr and fill in the information.

Of the resulting files, send my_csr.csr to Thawte, and keep your secret key my_key.rsa some place safe and secret.

测试CSR和把CSR发给WoSign, Start the certificate request process

生成CSR后,建议您自己测试一下生成的CSR文件是否正确,请点击 这里 测试您的CSR文件。请把测试成功的CSR文件发给WoSign即可。请一定不要再动您的服务器,等待证书的颁发。

To submit the CSR to WoSign for processing you should start the certificate enrollment process.