Parliament Hill Computers LtdParliament Hill Computers Ltd

Generate a CSR


Certificate Signing Requests

These will be generated in the directory CertificateSigningRequests/

You first need to have created a SSL configuration, eg my-website.cnf

Note the earlier comment about needing a capable shell: use ksh or bash

Create the request

Use su to become the user rsa

Run CreateSigningRequests, eg:

      $ sh bin/CreateSigningRequests my-website
      

If you wish you can look at the request:

      $ openssl req -noout -text -in CertificateSigningRequests/my-website.csr
      

Test the request

What you are really testing is that Apache is correctly configured so that Let's Encrypt can ascertain that it should sign the request.

Run CheckSiteAccess, eg:

      $ sh bin/CheckSiteAccess my-website
      

If this does not work — fix your Apache configuration. Did you restart Apache ?

Get Let's Encrypt to process the Signing Request

It should work since you just tested that the location /.well-known/acme-challenge/ is visible

Use su to become the user acme

Run GetSignedCertificate, eg:

      $ sh bin/GetSignedCertificate my-website
      

If you wish you can look at the certificate:

      $ openssl x509 -in SignedCertificates/my-website.crt -text -noout
      

Two important fields are the dates, you don't want to use an expired certificate:

      $ openssl x509 -in SignedCertificates/my-website.crt -text -noout | grep 'Not '
      

Also check the sites that it is valid for::

      $ openssl x509 -in SignedCertificates/my-website.crt -text -noout | sed -e '/DNS/!d' -e 's/, DNS:/\n/g' -e 's/^ \+DNS://'
      

This gives nice output:

      $ nmap --script ssl-cert -p 443 www.example.com
      


Next page: Second edit of Apache configuration to install certificates

Return to How to Configure Let's Encrypt with acme_tiny.py

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.