ORDERING OF A SERVER CERTIFICATE - CREATION OF A PRIVATE KEY

This page instructs you on how to create a private key on your Linux server before ordering a Telia server certificate. A key must be created separately from CSR file creation if you wish to use an Elliptic Curve Cryptography key.

The key must be placed on your server. Otherwise your server certificate will not work. It is also prudent to make a backup copy of the key. Telia does not have a copy of your key. Without private key a server certificate is useless.

LINUX AND OPENSSL

OPTION 1 CREATION OF AN RSA KEY

  • Create a RSA private key and a CSR file using a single command with one of these ways:
    • Interactive mode: openssl req -new -utf8 -newkey rsa:2048 -nodes
    • Subject information included mode: openssl req -nodes -newkey rsa:2048 -keyout example.key -subj "/C=FI/L=Helsinki/O=Telia Finland Oyj/CN=test1.telia.fi
  • These commands create a private key and a CSR file simultaneuusly. More specific CSR file creation instructions are found from Apache support page.
  • If you wish to create only a private key without a CSR, use this command for a 2048-bit RSA key creation:
    openssl genrsa -out private-key.pem 2048
  • The private key will be created as file private-key.pem
  • Other RSA key lengths are supported up to 16384-bit maximum length
  • RSA keys with less than 2048 bits are not allowed in publicly trusted certificates
  • The bit number of a certificate key must be divisible by eight

OPTION 2 CREATION OF AN ELLIPTIC CURVE CRYPTOGRAPHY KEY

  • If you wish to use modern Elliptic Curve Cryptography in your private key, use one of these commands to create your private key:
    openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem
    openssl ecparam -name secp384r1 -genkey -noout -out private-key.pem
  • The ECC key will be created in both cases to file private-key.pem
  • The difference between two commands is the curve used
  • There are other elliptic curves in addition to these, but they are not allowed for use in publicly trusted certificates.
  • Help for creation of a CSR file is found from Apache support page


OPENSSL AND MODSSL-PAGES