Generate the CSR (Certificate Signing Request)
- Dylan Nigh
The CSR file is used during the Certificate Authority's enrollment process to validate information about your server and your organization. The process of generating the CSR file will include adding information about your organization used to create your public key file. The process will also create a private key, which should never be shared. Both of these files should be saved and backed up, as they are not recoverable. If a challenge password is entered when generating the CSR file, this password should also be safely stored as it will be required to reinstall or revoke the certificate.
The process of creating the CSR file will vary by the Certificate Issuer that is used, however it is important to clarify if there is a required encryption key size. Many Certificate Authorities require that the key size is 2048-bits for all signed SSL certificates. The key generated by MacPractice prior to version 4.2.18 is only 1024 bits. If your CA requires a 2048-bit key, and you are using a version of MacPractice prior to 4.2.18, please use the 2048-bit key command. Otherwise, use the 1024-bits process where a 1024-bit key is required and your MacPractice version is 4.2.18+.
To generate a signing request (csr) of the server-key, run one of the following commands in Terminal, which can be found in the Applications > Utilities folder:
2048 bit private key and Certificate Signing Request:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout server-key.pem
1024 bit private key and Certificate Signing Request:
sudo openssl req -new -key /Library/MacPracticeServer/Apache/Security/private/server-key.pem -out /Library/MacPracticeServer/Apache/Security/private/server-key.csr
After pasting this command, information needed to generate the certificate signing request file will be requested through Terminal. The information added will create a "Distinguished Name" comprised of the information attributes. The Certificate Authority may have specific guidelines on adding this information. For example, some Certificate Authorities do not allow special characters, such as $%^&*@, within the Organization Name, Organizational Unit Name, or challenge password.
The information added during this process will be used by the Certificate Authority for domain and organization validation. Incorrect information, or information that does not match the WHOIS information on your domain registry may delay the validation process.
The CSR generation process will request the following information:
Country Name | Â The two letter ISO country code, such as US or AU. |
State or Province Name | Â The full, unabbreviated name of the state or province of your organization, such as Nebraska or Manitoba. |
Locality Name | Â The name of the organization's city, such as Lincoln. |
Organizational Name | Â The name of your organization, such as MacPractice, special characters, such as $%^&*@, should be avoided as these characters may not be supported by the Certificate Authority. |
Organizational Unit Name | Â Your department or section, such as MacPractice Help. Special characters, such as $%^&*@, should be avoided as these characters may not be supported by the Certificate Authority. |
Common Name |  This will be the domain or subdomain to which the MacPractice Server's Static IP points, such as http://domain.com  or subdomain.domain.com. The common name should exactly match the valid DNS name given to the MacPractice Server. Please note that if you wish to use a subdomain, a Wildcard SSL certificate must be purchased and your Certificate Authority may have specific instructions on how the common name is entered, such as using an asterisk (*) to define the domain. For example, *.domain.com |
Email Address | Â The email address for your organization, such as the webmaster or system administration email address. Some Certificate Authorities will require that this email be at the domain for which the certificate is being purchased, while others will require a validation email to be sent to an administrator or webmaster email account at this domain. (For example, admin@domain.com) |
Challenge Password | Â This is an optional plain text password. If a password is entered when generating the CSR file, the password will be required if you ever want to reinstall or revoke the certificate. |
Optional Company Name | Â This is an optional company name attribute, which can be submitted with the certificate request. |
This will create a server-key.csr file and in /Library/MacPracticeServer/Apache/Security/ in MacPractice versions 4.2.18+ whereas the file will be sent to your User folder in MacPractice versions prior to 4.2.18. In both versions, the .csr file, named CSR.csr, will be sent to your User folder.
To view the CSR file, open the file in a text program such as TextEdit or TextWrangler. You may need to control-click the CSR file and select the program from the Options menu. Select "Open With" and choose the desired program.
This .csr file will need to be uploaded to the Certificate Authority when purchasing the Signed SSL Certificate.