Creating a CSR in FreeBSD

1st May, 2007Insights

UPDATE Tuesday December 28, 2010 05:27 GMT+11: I have combined this post and it’s follow up into one more coherent, useful post: Installing an Independently Verified SSL Certificate. This post is preserved in it’s original form for historical purposes. The original follow up is: Installing a Signed SSL Certificate.

Although It’s such an obvious protection racket, when you’re accepting payments on the web, you just have to bite the bullet and pay for a signed certificate.

Fortunately, you don’t have to go with the really extremely expensive Thawte and Verisign to get good browser coverage. And let me just preface this article with this statement: there is ABSOLUTELY no security advantage in encrypting with a paid certificate. The only advantage is in the background check that the company does to verify that the person who created the certificate owns the domain, but in terms of the actual encryption, a self-signed certificate is perfectly adequate.

We recently set up a payment gateway for the Veterinary Practitioners Board and went with a self-signed certificate. We were okay with the standard browser warnings, but then we discovered that Norton Anti-Virus and other virus software was throwing up really ugly looking warnings about the self-signed “Untrusted!” certificates.

We shopped around and found a cheaper certificate provider than Thawte or Verisign (because those guys are REALLY expensive). So now it’s time to create a CSR (Certificate Signing Request).

We already have the ‘requests’ we made for our self-signed certificates, but we can’t just re-use them because we made them ‘wild card’ certificates (that is, they work for any sub-domain of vpb.nsw.gov.au, but these cost more to get signed for some absurd reason. The mind boggles).

So I just type:

openssl req -new 

onto my command line. It then prompted me for the password. I chose a really really strong password that I haven’t used before that combines upper case and lower case letters, numbers and symbols. It’s so unhackable.

I just followed the prompts to enter in all the company information for VPB. The most important thing here is the common name. In the prompt it says “eg. YOUR name”, which I don’t really understand at all, because what you’re required to put here is the domain for which you want the signing request. I entered in www.vpb.nsw.gov.au. This is what I was referring to earlier when I said we couldn’t re-use our wildcard certificate, which was created with *.vpb.nsw.gov.au as the common name. All the other stuff it asks for is pretty self-explanatory.

When I was done it spat out my certificate request which I just copied into a file vpb-req.pem and then sent off to that file to the certificate authority. It also created a key file, called privkey.pem which I copied to vpb-key.pem and saved for later (because I’ll need to use it when I install my certificate).

We’re getting ours registered through Chris Langlands at www.backend.com so I’m going to email the pem file off to him and I’ll write about how to install the certificate once I get the signed certificate back from him.

I’ve also written about how to install your signed certificate.

Read More Posts

BYOD and Cybersecurity: An In-Depth Analysis

BYOD and Cybersecurity: An In-Depth Analysis

Bring Your Own Device (BYOD) policies have become increasingly prevalent in Australian businesses, offering flexibility and cost savings. However, they also introduce complex cybersecurity challenges. In this article, we explore the cybersecurity implications of BYOD...

Using a Second Phone Number for Personal Use: Benefits and Risks

Using a Second Phone Number for Personal Use: Benefits and Risks

In today's connected world, balancing personal and professional life is more challenging than ever. One solution gaining popularity is the use of a second phone number for personal use. This approach, especially with solutions like BenkoPhone, offers several benefits...

Want to try BenkoPhone?