Generate Keys and Certificate Signing Requests

Before you configure settings on the Spectrum server, you must first generate keys and get a certificate signing request (CSR).

This section uses the OpenSSL command-line program to generate private/public keys and a CSR. OpenSSL comes with most Linux systems. For Windows, you can download an installation package for OpenSSL toolkit from Shining Light Productions. Refer to the OpenSSL command reference for more information about OpenSSL commands described here.

In the example code, replace references to example with your organization or domain name.

  1. Open an OpenSSL Command Prompt.
  2. Generate a public/private key pair using the an SSL toolkit..
    1. Execute the following command to generate an RSA public/private key pair.
      openssl genrsa -out www.example.com.key 2048
      This example generates an RSA 2,048 bit key pair. The encryption standard and minimum length requirements may differ depending on the version of Java installed on your machine and Certificate Authority requirements.
      This displays the following output:
      openssl genrsa -out www.example.com.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
................................+++++
...+++++
e is 65537 (0x010001)
    2. Generate a certificate signing request.
      openssl req -new -sha256 -key www.example.com.key -out www.example.com.csr
      This command embeds your public key and information about your organization into a certificate signing request or CSR. It will prompt for the following information:
      • Country Name (two-letter ISO-3166 country code)
      • State or province name
      • Locality name (such as city)
      • Organization name (such as company)
      • Organization unit name (unit or section in an organization)
      • Common name (typically the fully qualified domain name for the server)
      • Email address (contact address in your organzation)
      • A challenge password (be sure to make a record of this password)
    3. To ensure the validity of the CSR, run this command:
      openssl req -text -in www.example.com.csr -noout
      The response should look something like this: 
      Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = US, ST = Maryland, L = Rockville, O = Example Ltd, OU = Help Central Example, CN = www.example.com, emailAddress = webmaster@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
   00:9f:b4:35:53:31:be:3b:79:42:23:0b:69:5b:10:
   ce:80:d0:a3:dd:4d:dc:b3:aa:c1:b8:38:b9:cb:d9:
   ...
Exponent: 65537 (0x10001)
Attributes:
challengePassword        :examplepassword
Signature Algorithm: sha256WithRSAEncryption
  02:a9:f0:2f:1b:7f:09:04:ff:6f:e4:5e:51:12:22:56:4c:5c:
  81:d4:e0:06:c2:0b:42:6d:18:de:29:df:97:d0:e2:24:53:35:
  ...
    4. Submit the resulting CSR (www.example.com.csr) to a certificate authority.

    Send the CSR to your CA, and follow their instructions to receive your final certificate. Different CAs charge differently for the service of vouching for your public key.