Account Services on the Web
Page Help
What is Certificate Signing Request?
A Certificate Signing Request, (CSR), is a message from an applicant (in this case, you) to a certificate authority (in this case, Comodo via InCommon via IT Services) applying for a digital certificate.
What does a Certificate Signing Request Look Like?
Usually CSRs are "PEM encoded" which means they look like this:
-----BEGIN CERTIFICATE REQUEST----- MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K 9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC -----END CERTIFICATE REQUEST-----
How do I generate a Certificate Signing Request?
Option 1: Let us do the work
The simplest way is to check the 'Have ASW make a CSR (and matching Key) for you' box and ASW will do the work for you. A KEY will be generated and displayed (you need to save this key as we do not keep a copy of it) and a matching CSR will be generated and submitted.
Option 2: Do it yourself
Before creating a CSR, you must have (or create) a public/private key pair:(example fully.qualified.domain.name: www.mydept.iastate.edu)
(Note that 2048 is the minimum acceptable key length)
Then Upload or Drag-n-Drop the CSR File or Cut-n-Paste its contents.
When your request is processed you will receive your certificate, which looks similar to the CSR. You save it as a file on your webserver (typical name: fully.qualified.domain.name.crt) and it is also pointed to by your webserver configuration.
You will also receive a link to a set of "intermediate certificates" that you will likely need to save in a file and include a pointer to in your configuration.(the examples above use the openssl package, other software systems are likely similar)
What Should I Include in the Certificate Signing Request?
Your CSR needs to contain the following items:
| Item | Long Name | Required Value |
|---|---|---|
| CN | Common Name | full.hostname.iastate.edu
(or may appear as below if non-EV) full.hostname.iastate.edu/emailAddress=netid@iastate.edu |
| O | Organization | Iowa State University of Science and Technology |
| OU | Organizational Unit | Full Name of Your Department |
| L | Locality | Ames |
| ST | State | Iowa |
| C | Country | US |
How Do I Use my Certificate and Key?
A full treatment of this topic is beyond the scope of this help, but you will definitely need to refer to the Certificate and Key (and likely the intermediate certificates) in your webserver configuration. For example, in Apache:
SSLCertificateKeyFile /some/path/fully.qualified.domain.name.key
SSLCACertificateFile /some/path/intermediate.certificates.crt
SSLEngine On
...
</VirtualHost>
While you are making configuration changes would be an excellent time to insure that you configure strong encryption. For example, in Apache:
<VirtualHost _default_:443>
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
...
</VirtualHost>
