How many times do I have to go through this? Because this can be confusing I create 3 directories:
1.mkdir ssl.crt
2.mkdir ssl.key
3.mkdir ssl.pem
GENERATE KEY PAIR (key & csr)
This can be done a few ways. You can do this with PUTTY on a WINDOWS pc. You can do this with OPENSSL on a REDHAT server. Choose one. It doesn't matter. Below is for OPENSSL on the server.
1: cd ./ssl.key
2a (no Subject Alternative Name [SAN]): openssl req -nodes -newkey rsa:2048 -sha256 -reqexts v3_req -keyout www.regionalidx.com.key -out www.regionalidx.com.csr -subj "/C=US/ST=Florida/L=Jupiter/O=Regional IDX/OU=IT/CN=www.regionalidx.com"
2b (Subject Alternative Name [SAN] ≤ openssl v1.1.0):
openssl req -nodes -newkey rsa:4096 -sha256 \
-keyout regionalidx.com.key -out regionalidx.com.csr -reqexts SAN -extensions SAN -subj '/C=US/ST=Florida/L=Jupiter/O=Regional IDX/OU=IT/CN=regionalidx.com' -config <(cat /etc/pki/tls/openssl.cnf; printf "[SAN]\nsubjectAltName=DNS:www.regionalidx.com,DNS:mail.regionalidx.com,DNS:server.regionalidx.com")
2c (Subject Alternative Name [SAN] ≥ openssl v1.1.1):
openssl req -nodes -newkey rsa:4096 -sha256 -reqexts v3_req \
-keyout www.regionalidx.com.key -out www.regionalidx.com.csr -subj "/C=US/ST=Florida/L=Jupiter/O=Regional IDX/OU=IT/CN=regionalidx.com" \
-addext 'subjectAltName=DNS:www.regionalidx.com,DNS:mail.regionalidx.com,DNS:server.regionalidx.com'
NOTE: Please do not enter your email address, challenge password or an optional company name when generating the CSR.
You can test out test CSR with the following:
openssl req -text -noout -verify -in regionalidx.com.csr
openssl req -text -noout -verify -in regionalidx.com.csr |grep DNS
REQUEST CERTIFICATE
Great! You have a key as well as a certificate request (csr).
1.login to your account where you bought the certificate.
2.paste in your CSR.
3.submit the request.
4.check & double check to make sure the contact info is correct (you can't skimp here)
APPROVE REQUEST
1.the certificate provider (GEOTRUST, VERISIGN, etc) should email the AUTHORITATIVE EMAIL (admin @yourdomain.com) as listed out in the domain name WHO IS.
2.accept the request.
INSTALL CERTIFICATE
1.the certificate provider (GEOTRUST, VERISIGN, etc) should email you the certificate.
2.copy the certficate
3.change into the CRT directory
4.cd ../ssl.crt
5.paste it into the CRT file.
6.vi yourdomain-example.com.crt
They may also send you an INTERMEDIATE certificte. If needed, paste it into it's own file.
TELL THE SERVER WHERE TO FIND IT
1.config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
2.config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
3.config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/{CA}.crt
APPLY THE CHANGES
1.signal-event domain-modify
2.signal-event email-update
Create Key, Generate & Install Certificate -ssl, csr, crt