How to manually create a CSR (certificate signing request) from an IT Advisor server

DCO and ITA servers are installed with a self-assigned SSL certificate.

To add your own SSL certificate, see Changing the SSL certificate on the ITA server. To complete that process, you must:

• Create a certificate signing request (CSR) and a private key for the ITA server
• Submit the CSR to a certificate authority (CA) to be signed
• Add the signed certificate and private key to the ITA/DCO server

Create a certificate signing request (CSR) and a private key for the ITA server

While most IT staffs have tools to create a CSR for a DCO/ITA server, it is possible to manually create the CSR from the DCO/ITA server operating system.

1. Log on to the DCO/ITA server via SSH or from the server’s console.

2. Use sudo to become the root user. Type:

   sudo /bin/bash

3. Change to root’s login folder, typically /root. Type:

   cd

4. Create a ssl configuration file.

   This is a temporary file that will be used to define the “subject alternate name” portion of the CSR request. The subject alternate name section is important, especially if your DCO/ITA server hostname can be resolved as several hostnames.

   Use a tool like vi to create a file called ssl.conf and paste the following lines into the file. You will not normally need to change any of the below text except for the last line.

   [ req ]
   default_bits = 2048
   distinguished_name = req_distinguished_name
   req_extensions = req_ext
   [ req_distinguished_name ]
   countryName = Country Name (2 letter code)
   stateOrProvinceName = State or Province Name (full name)
   localityName = Locality Name (eg, city)
   organizationName = Organization Name (eg, company)
   commonName = Common Name (e.g. server FQDN or YOUR name)
   [ req_ext ]
   subjectAltName = @Anonymous user_names
   [alt_names]
   DNS.1 = <DNS name 1>

   Use the bottom line to specify Subject Alternate Name information for the certificate.

   You can customize the “DNS.x = <DNS name>” entries where the “x” represents the entry number and the “<DNS name>” portion represents other hostnames that this certificate will also satisfy.

   If your ITA server resolves with multiple hostnames, you create a line for each one. If you have three entries, for example, it might look like this:

   DNS.1 = itahost1.mydomain.com
   DNS.2 = itahostprod.mydomain.com
   DNS.3 = itaprod.mydomain.com

5. Save the changes to the file.

6. Use the “openssl” command to create the CSR and private key files. This command will create two files in your current directory. One will be called myCSR.csr which contains the certificate signing request. The second file will be called myPrivateKey.key which is the private key file for the DCO/ITA server.

   openssl req -sha256 -out myCSR.csr -new -newkey rsa:2048 -nodes -keyout myPrivateKey.key -config ssl.conf

   The openssl command will ask you several questions including your country code, state, and other
   information. This information is included in the CSR request

Submit the CSR to a certificate authority (CA) to be signed

Download and forward the myCSR.csr file to your certificate authority so it can be signed. You can also download the myPrivateKey.key file; it will be uploaded later to Webmin along with the
signed certificate file.

The signed certificate you receive must be in the Apache 2.x/PEM format to upload to DCO/ITA. 

Add the signed certificate and private key to the ITA/DCO server

You should have a *.crt signed certificate. The myPrivateKey.key file you created earlier is the *.key file you will upload to the DCO/ITA server via Webmin.

Follow the instructions in Changing the SSL certificate on the ITA server

Last updated July 30, 2020