Last Updated: September 29, 2021
·
7.58K
· timfernihough

How to generate a CSR and install an SSL certificate from command line

In most of my experiences, I've always had the luxury of using Plesk, CPanel or some other GUI utility to generate a CSR on a server upon which I want to install an SSL certificate.

Today, I was tasked with renewing an SSL certificate for a client where the server has no GUI layer to administer it. A past team member had obviously done this before to install the original SSL certificate, but I couldn't find the steps they did in the command line history so I had to essentially start from scratch. I ended up using Apache + OpenSSL to generate the CSR.

Depending on how your server is setup, a good place to consider storing the SSL files will be in:

/etc/apache2/ssl/{name of your domain or client}/

Create the directory if necessary and navigate here.

Assuming you have OpenSSL installed on the server, you can the following command to generate a CSR and private key. Of course, replace "server" with the name of your server (such as www.domain.com). I don't recommend generating anything with less security, but you can in theory change the 2048 to a different encryption level if you desire.

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

This will then ask you to fill in the typical fields you fill out when provisioning a CSR through a GUI interface (country code, state, locality, organization, organizational unit, common name and email). You can skip the additional optional fields such as challenge phrase, etc.

At this point, the server.key and server.csr will have been generated in the current directory.

Take the contents of the .csr file and go to your favourite certificate provider. My preference is Geotrust but you can go anywhere. Once you've received your primary certificate and your chain or intermediate certificate (also known as a CA certificate), it's time to create 2 new files in the same directory.

vi domain.com.crt  //  of course, change the name to reflect the same pattern as listed above in the command where you generated the csr and private key files

In here, paste the contents of the primary certificate.

vi geotrust.crt  //  of course, change the name semantically if you elected to go with another provider.

In here, paste the contents of your chain certificate.

Finally, you need to tell Apache to use these certificate files for the domain in question. Again, depending on how your server is setup, locate the conf file that contains the virtual host configuration for your domain and open it in an editor. If using Apache 2, it might be in

/etc/apache2/sites-available/

Once opened, find the virtual host container for port 443 and ensure the following directives are set (or updated, if you are renewing to use a new certificate)

SSLEngine on
SSLCertificateFile    /etc/apache2/ssl/server.crt   //  name is the same as what you generated it above.
SSLCertificateKeyFile /etc/apache2/ssl/server.key //  name is the same as what you generated it above.
SSLCACertificateFile /etc/apache2/ssl/geotrust.crt  //  name changes if you changed it as per above.

Restart Apache and your new certificate should be in place.

service apache2 restart

This example is meant to represent guidance on a simple case and may not be perfect depending on your specific scenario. Thanks to http://www.digicert.com/csr-creation-apache.htm for providing the first half of my solution.