SSL Certificate Signing Request
Ensure the openssl package is
not vulnerable to Heartbleed attack. To ensure the same, check the version of
openssl package. Following are the
versions which are not vulnerable,
Openssl 1.0.0 branch
Openssl 0.9.8 branch
Only openssl 1.0.1
through 1.0.1f are vulnerable to
Heartbleed attack. If server has any version between 1.0.1 and 1.0.1f, then openssl needs to be updated before
generating the CSR/Key. This can be checked using following command.
# rpm –qa |
# openssl genrsa -des3 -out server.key 1024
Pass phrase needed.
Give the passphrase as it would be kept secret.
generated private key looks like follows,
# cat server.key
RSA PRIVATE KEY-----
Certificate signing request
# openssl req -new -key server.key -out
phrase for server.key:
same passphrase which we have given in point 1. You are about to be asked to
enter information that will be incorporated into your certificate request.
What you are
about to enter is what is called a Distinguished Name or a DN.
quite a few fields but you can leave some blank
fields there will be a default value, If you enter '.', the field will be left
(2 letter code) [GB]:IN
Province Name (full name) [Berkshire]:
Name (eg, city) [Newbury]:
Name (eg, company) [My Company Ltd]:
Unit Name (eg, section) :
(eg, your name or your server's hostname) :
Address : Valid Email ID for which
certificate to be sent
the following 'extra' attributes to be sent with your certificate request
company name :
# ls -ltr server.*
root root 963 Jun 13 20:26 server.key
root root 664 Jun 13 20:35 server.csr
Then server.csr needs to be sent to Certifying
authority for SSL certificate.