Parliament Hill Computers LtdParliament Hill Computers Ltd

Generate a CSR

Certificate Signing Requests

These will be generated in the directory CertificateSigningRequests/

You first need to have created a SSL configuration, eg my-family.cnf

Note the earlier comment about needing a capable shell: use ksh or bash

Create the request

Use su to become the user rsa

Run CreateSigningRequests, eg:

      # su rsa -c 'bin/CreateSigningRequests my-family'

If you wish you can look at the request:

      $ openssl req -noout -text -in CertificateSigningRequests/my-family.csr

Test the request

What you are really testing is that Apache is correctly configured so that Let's Encrypt can ascertain that it should sign the request.

Run CheckSiteAccess, eg:

      # su rsa -c 'bin/CheckSiteAccess my-family'

If this does not work — fix your Apache configuration. Did you restart Apache ?

Get Let's Encrypt to process the Signing Request

It should work since you just tested that the location /.well-known/acme-challenge/ is visible

Use su to become the user acme

Run GetSignedCertificate, eg:

      # su acme -c 'bin/GetSignedCertificate my-family'

If you wish you can look at the certificate:

      $ openssl x509 -in SignedCertificates/my-family.crt -text -noout

Two important fields are the dates, you don't want to use an expired certificate:

      $ openssl x509 -in SignedCertificates/my-family.crt -text -noout | grep 'Not '

Also check the sites that it is valid for::

      $ openssl x509 -in SignedCertificates/my-family.crt -text -noout | sed -e '/DNS/!d' -e 's/, DNS:/\n/g' -e 's/^ \+DNS://'

This gives nice output:

      $ nmap --script ssl-cert -p 443

Next page: Second edit of Apache configuration to install certificates

Return to How to Configure Let's Encrypt with

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.