Create a certificate signing request (CSR)
In order to have an SSL certificate issued, the first step is to create a so-called CSR. CSR stands for "Certificate Signing Request" and represents a digital request for the issuance of an SSL certificate.
Order SSL certificate via Nine
If you order an SSL certificate directly through Nine for one of our managed products, the creation of a CSR is not required.
Creating a CSR is only required if you wish to obtain an SSL certificate for root products or through a third party.
Where should the CSR be created?
The CSR (and private key) can be generated on your web server. This also ensures that the private key does not leave the secure environment of the server.
Preparation
To create the CSR, we use OpenSSL in this description. If the program is not available on your root environment, it must be installed first. On managed environments, the program is part of the basic configuration.
The following description uses default directories of our managed environments. Please adapt them for root environments according to your needs.
-
Create the directory.This path cannot be reached directly via a web server and prevents the "private key" from accidentally becoming public:
mkdir -p ~/.ssl/
cd ~/.ssl/ -
Create a OpenSSL config:
cat <<'EOT' >> openssl.conf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
[ v3_req ]
subjectAltName = ${ENV::SAN}
# keyUsage = keyEncipherment, dataEncipherment
# extendedKeyUsage = serverAuth
EOT
Creation of the CSR
The following command is used to create both the CSR and the associated "private key" for the domain example.ch
.
SAN=DNS:example.ch,DNS:www.example.ch openssl req -new -subj "/C=CH/ST=Zuerich/L=Zuerich/O=Example AG/CN=example.ch/" -sha256 -newkey rsa:4096 -nodes -keyout SSL_example.ch.key -out SSL_example.ch.csr -config openssl.conf
The use of umlauts, special characters (e.g. accents in French) and abbreviations should be avoided at all costs.
Country Name
2-digit country code according to ISO 3166 (CH = Switzerland)
State or Province Name
The canton/province where the person or company for which the CSR is created is registered
Organization Name
Your company or association name here. If the certificate is to be issued to a natural person, enter the full name of the person.
Common Name
Specify the domain name to be protected by the certificate (or *.example.ch for wildcard certificates).
Standard certificates usually automatically include the subdomain "www". However, this does not apply to multi-domain certificates. If you want to obtain your certificate via a third-party provider, please clarify the exact conditions with the provider in advance.
Wildcard certificates cover a sudomain level.
For example, *.example.ch
includes www.example.ch
and staging.example.ch
, but not www.staging.example.ch
.
www.staging.example.ch
would be covered with a wildard certificate for *.staging.example.ch
.
The SSL certificate can later only be used for the domain deposited here.