I have recently faced similar case while I had given older CSR which I gave last year for the renewal to GoDaddy and it didn't worked due to security reasons.

We need to simply regenerate Private Key and CSR with the help of following OpenSSL command:

 openssl req -nodes -newkey rsa:2048 -keyout new-digitss.key -out new-digitss.csr

This will generate 2048-bit key file and after that it will ask few basic information about the entity being certified. Private Key file generated with above command won't have secret pass-phrase so it won't be a problem deploying them on Windows based Apache server setups or either on Linux platforms. But if you really want to have pass-phrase then please refer to a previous post and replace it with 2048 or 4096 instead of 1024 which is being used in commands or just remove the "-nodes" from the above command which will ask for a pass-phrase.

Removing the "-nodes" option from the above mentioned openssl command will ask for a pass-phrase and encrypt the private key. This can increase security, but please note that the pass-phrase will be required each time Apache is started. In that case you need to get a un-secure private key for your Windows based Apache setup. It is as simple as writing following line of command on OpenSSL.

 rsa -in digitss.key -out unsecured.digitss.key

Above OpenSSL command will give unsecured private key which will have pass-phrase removed and so can be used with Windows based Apache setups.

More References:

For more detailed information on CSR generation please refer following post: (Just use 2048 or 4096 instead of 1024 to make it work)
http://blogs.digitss.com/apache/how-to-generate-certificate-signing-request-csr-file-with-apache-openssl/

See GoDaddy Help for detailed reason on: Why does my CSR need to be 2048 bit length?

CSR Generation Instructions for Rest of the Web-Servers: Certificate Signing Request (CSR) Generation InstructionsSimilar Posts:

• How to generate Certificate Signing Request (CSR) file with Apache OpenSSL
• Installing Apache on Windows 2008
• Beginner’s Resources for PHP-MySQL Development
• RSA server certificate CommonName (CN) does NOT match server name!?
• mod_proxy & mod_vhost_alias to host multiple domains on Web-Server and running Apache+IIS together

While configuring SSL for one of my Client I got this error and it took me little while to figure it out that what went wrong with the configuration. Initially I thought that there must be something wrong with the generated certificate as I have generated CSR myself and given it to client and client gave back me Certificate files.

But I was wrong as I was using LogMeIn to connect to the client's Windows 2003 Web-Server and using remote clipboard (Copy+Paste). Something went wrong while pasting that file on the remote Web server. So I transferred files directly and then it worked well without any problem.

[Mon Jun 01 03:22:49 2009] [warn] RSA server certificate CommonName (CN) `portal.client.com' does NOT match server name!?
[Mon Jun 01 03:22:49 2009] [error] Unable to configure RSA server private key
[Mon Jun 01 03:22:49 2009] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Reference URL that helped me find the answer is below:

http://www.howtoforge.com/forums/showthread.php?t=22493

Similar Posts:

• How to generate Certificate Signing Request (CSR) file with Apache OpenSSL
• Generating 2048-bit CSR with OpenSSL
• This download has been blocked by your security zone policy
• mod_proxy & mod_vhost_alias to host multiple domains on Web-Server and running Apache+IIS together
• VMWare Workstation: This virtual machine appears to be in use.

Now if you are running and managing your own webserver and you have to get certificate(s) for your company/client or your own website then first requirement is to generate "Certificate Signing Request" - CSR file, which you need to send to Certificate Authority to sign and give back to you as CRT file. This tutorial is not meant for Apache expert but for those who have not much experience SSL and Apache stuff.

Generation of CSR files with Apache on OpenSSL is quite simple and it is matter of typing few commands and we are done. You need to follow similar commands on OpenSSL prompt whether you are running Apache over Windows or Linux. Here is the routine which we need to follow to get our .CSR file ready.

If you have your Apache setup ready with OpenSSL then goto BIN directory under your Apache's installation directory. If you are on Windows machine then it could be under D:\Program Files\Apache\bin and if it is Linux you know better where to find it. Open Command Prompt and goto Apache's BIN directory and then type "openssl" over there. You will get OpenSSL prompt immediately. You may need not to goto Apache/Bin directory if that path is set in your system variables, you can just type openssl and you will get the prompt like below.


Now, first of all we need to generate RSA Private key for our server. This key will be Triple-DES encrypted and PEM formatted. Type in following command to get encrypted private key on OpenSSL prompt.

OpenSSL genrsa -des3 -out digitss.key 1024

You can keep it my_server.key or something like that. Once you type in above command it will ask for pass-phrase, please keep a note of that pass-phrase at some secure place. Also, take backup of your private key file at some secure place. Here is the screen-shot(s) visualizing above command over windows command-line.

If you will try to see contents of that file it would look something similar to what I have got here.


To see something which is more readable type in following line and it will ask you pass-phrase which you previously specified.

OpenSSL rsa -noout -text -in digitss.key
Enter pass phrase for digitss.key:
Private-Key: (1024 bit)
modulus:
00:c6:54:39:f5:c5:ae:5a:ef:f5:53:9c:13:c9:86:
27:c5:19:9f:25:ab:a5:96:5a:2e:f3:c0:5b:b0:c5:
02:a6:e0:53:a8:fa:34:e1:8f:55:b4:ee:57:e3:54:
65:70:6a:f0:0c:4d:b1:ed:9f:31:38:51:3c:e1:99:
fe:82:6c:0d:3d:a5:d3:6e:01:8c:89:cc:f1:97:c0:
95:0e:80:1a:c7:0a:ac:56:15:27:cd:08:32:e0:2c:
39:00:77:2f:d1:83:4f:2e:ff:ea:50:fb:26:6c:fd:
dd:ea:38:3b:ec:c0:f7:d3:c6:c2:23:20:12:40:bf:
1b:94:59:d8:d6:34:8d:7c:dd
publicExponent: 65537 (0x10001)
privateExponent:
23:5b:b8:c9:9c:68:ad:45:c2:93:19:6c:5d:ad:51:
31:ce:83:95:0f:b9:01:c9:2a:3d:c2:b9:96:16:49:
96:be:bf:ab:8c:90:08:f6:a8:ed:0c:e1:16:62:61:
83:5d:4d:56:a4:33:68:8d:cd:14:a1:47:1d:61:7b:
02:7d:89:0e:77:f9:0b:b9:89:02:a5:e1:0a:ba:66:
f2:25:dc:06:7e:74:b2:c7:6a:be:1a:e1:6f:fb:b7:
e2:2d:b5:f2:ca:a8:ec:27:9e:81:25:7e:8a:2d:6c:
94:6f:f5:ca:f3:4e:bc:3d:1e:e9:5d:74:47:59:8c:
f7:29:d8:8e:9c:d2:e0:01
prime1:
00:f4:85:25:2e:6c:02:79:02:58:c9:ec:29:a8:11:
33:9e:db:bf:84:0a:a2:87:f9:2b:82:f5:a0:04:59:
69:bb:f7:d3:6a:d8:ee:6d:74:0e:bb:62:01:8e:bf:
5f:85:d8:3d:de:e9:12:86:c9:20:de:7c:cf:4c:f2:
6a:1b:40:e2:01
prime2:
00:cf:a3:ea:a4:39:10:6c:4e:3c:58:b1:8e:f0:17:
33:ea:1f:9d:0c:be:0a:bd:3b:d5:80:76:70:e3:e4:
54:4f:1a:8f:8a:ab:00:d5:64:e6:8a:e7:24:12:2b:
3e:97:b9:24:96:b5:f4:31:eb:ae:6d:fa:83:b2:32:
92:8b:06:62:dd
exponent1:
00:b4:40:d2:bf:fd:ef:74:b5:3e:2e:dc:61:78:fc:
34:77:9f:16:f7:87:bf:78:ed:3e:1e:34:63:d9:d0:
f0:19:19:00:49:6b:d1:97:ee:4e:4d:e4:59:b1:99:
72:19:80:e7:5b:44:05:dc:46:b8:6c:4b:25:a6:5b:
ad:cc:99:70:01
exponent2:
00:b8:a7:83:41:ec:65:88:8b:c2:ea:f5:6c:b2:63:
33:98:9f:e8:a0:ae:59:0a:94:ad:78:02:dc:be:2e:
3e:34:12:e0:d8:66:de:e4:e7:48:86:fa:ab:7f:64:
e9:d3:30:19:33:d6:38:86:34:9b:f8:be:32:64:44:
c9:41:cd:ba:19
coefficient:
7c:9a:fa:80:72:8a:74:11:7b:f0:32:d0:e4:b3:44:
cd:d4:2c:4e:6b:37:38:68:9a:6e:cd:ae:f0:9f:54:
31:a5:f6:f7:c8:16:f3:1a:4a:5c:d3:6b:60:a1:7d:
f5:a2:6c:b2:ab:12:1d:1c:5c:dd:63:57:d5:c0:be:
a3:d1:37:67
OpenSSL

Although it is hardly readable but makes more sense then previous screenshot.

Later on we need to specify path of this file in our httpd-ssl.conf when we get CRT file signed by Authority and we are setting up SSL over our webserver. It is required to have unsecured version of this file as with Windows Apache + OpenSSL setup it's not possible to specify "pass-phrase" (which we have given earlier) and it will give some weired error while setting up SSL and apache will refuse to start and generate errors in log for that.
So to get Unsecured version of this file type following command:

OpenSSL rsa -in digitss.key -out unsecured.digitss.key
Enter pass phrase for digitss.key:
writing RSA key
OpenSSL

Here, digitss.key is the file which we have previously generated and it is encrypted (3-DES), and -out file is the one which will be generated based on our request in non-encrypted form. During this process it will ask for pass-phrase as usual.

Now let's move to final step which is generation of CSR file using RSA private key. Following command will generate Certificate Signing Request file for us which will be PEM formatted. Key in following command:

OpenSSL req -new -key digitss.key -out digitss.csr

If you are running over Windows then probably you will get error which I have faced during this. It would be something similar to following:

OpenSSL req -new -key digitss.key -out digitss.csr
Unable to load config info from /usr/local/ssl/openssl.cnf

In that case we need to specify one more parameter in this command and we are done.

OpenSSL req -new -key digitss.key -out digitss.csr -config openssl.cnf

Here, in this command we are making request for generation of CSR file with our private key generated previously and here we have specified configuration file as "openssl.cnf" as one more parameter. If this file doesn't exist in apache/bin directory then either move it there or specify full path. After keying in above command it will prompt you with few parameters/questions and that's it we are done.
Here is the list of question you need to answer as in you type above command to generate CSR file. Provided for your reference just as an example.

OpenSSL req -new -key digitss.key -out digitss.csr -config openssl.cnf
Enter pass phrase for digitss.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Newyork
Locality Name (eg, city) []:Bellrose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DiGiTSS Inc
Organizational Unit Name (eg, section) []:DiGiTSS
Common Name (eg, YOUR name) []:www.digitss.com
Email Address []:dharmavir@digitss.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:blogs@DiGiTSS
OpenSSL

We are almost done, now we need to send this generated CSR file to a Certifying Authority (CA) for signing, they will send back us Real Certificate CRT file with the help of which we can setup SSL over our webserver running Apache and OpenSSL. We can either send it to Verisign, Thawte Consulting, CertiSign Certificadora Digital Ltd or GoDaddy.

Please note that I have used all commands on Linux server as well and they will work same as they they work on Windows.

For more advance options or more help you can refer to www.modssl.org's FAQ section.
Have your comments on this post.Similar Posts:

• Generating 2048-bit CSR with OpenSSL
• RSA server certificate CommonName (CN) does NOT match server name!?
• mod_proxy & mod_vhost_alias to host multiple domains on Web-Server and running Apache+IIS together
• PHP – Downloading a File from Secure website (https) using CURL
• Beginner’s Resources for PHP-MySQL Development