重要注意事项 An Important Note Before You Start

在生成CSR文件时同时生成您的私钥，如果您丢了私钥或忘了私钥密码，则颁发证书给您后不能安装成功！您必须重新生成私钥和CSR文件，免费重新颁发新的证书。为了避免此情况的发生，请在生成CSR后一定要备份私钥文件和记住私钥密码，最好是在收到证书之前不要再动服务器。
By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key.

To create a certificate signed by a Certificate Authority using OpenSSL, follow these steps:

Create or choose a directory for the certificates and your private key. Because the private key is stored unencrypted, it is very important that only user root has access to this directory. For example, the following three commands:
mkdir -p -m665 /etc/mail/certs
chown root:mail /etc/mail/certs
chmod 660 /etc/mail/certs

Use openssl to create a public-private key pair and a certificate signing request (csa). For example, the following command (this text should be entered at a command prompt as one long line):
/usr/local/ssl/bin/openssl req -new -nodes -out req.pem -keyout /etc/mail/certs/cert.pem
When you run openssl it prompts you for items of information. It is very important that you properly answer these prompts; the default explanation may not be accurate. It asks you:
Country Name Supply the ISO-standard two-letter code for your country.
State or Province Name Type the full name of your state or province.
Locality Name Type the full name of your city or municipal area.
Organization Name Type the legal name of your company or organization.
Organizational Unit Name Type the name of your division or section of your company.
Common Name Type the fully-qualified host name of the mail server host. Do not type your personal name, even if the openssl prompt sounds like that is what you should do. This must be the same name that a client enters to get to your server.
Email Address This should be your email address, or that of an institutional role (such as postmaster).

Ensure that the file which now contains the private key (and will later contain the signed certificate) is owned by and only accessible by root. For example, the following two commands:
chmod 600 /etc/mail/certs/cert.pem
chown root:0 /etc/mail/certs/cert.pem
Send the certificate signing request (file req.pem) to your Certificate Authority for signing. You will receive back a signed request.

测试CSR和把CSR发给WoSign, Start the certificate request process

生成CSR后，建议您自己测试一下生成的CSR文件是否正确，请点击 这里 测试您的CSR文件。请把测试成功的CSR文件发给WoSign即可。请一定不要再动您的服务器，等待证书的颁发。
To submit the CSR to WoSign for processing you should start the certificate enrollment process.