Creating a Certificate Signing Request (CSR) with OpenSSL
This article describes how to create a CSR (Certificate Signing Request) for ordering an SSL certificate using OpenSSL.
Introduction
When ordering an SSL certificate, you will be asked for a CSR. CSR stands for Certificate Signing Request, which is a request for issuing an SSL certificate. In addition to the CSR, you need a secret key file which, as the name suggests, remains exclusively with you and must be protected from access by third parties.
This guide describes how to create a CSR using the linked open-source application OpenSSL. OpenSSL is available for numerous operating systems and is usually pre-installed on Linux systems.
Installing OpenSSL
If OpenSSL is not yet installed, you can perform the installation as follows:
Ubuntu
$ apt-get install openssl
RHEL / CentOS
$ yum install openssl
Windows 10
Install the Linux Subsystem under Windows 10. Follow the linked Microsoft article for this.
Required Information
You need the following information, which relates to the operator of the Internet service:
| Name | Description |
|---|---|
| Country | Two-letter country code (e.g., CH, DE, AT) |
| State/Province | Full name of state or province |
| City | City name |
| Organization | Company or organization name |
| Unit | Department or unit name (optional) |
| Common Name | Fully qualified domain name |
| Contact email address |
Creating the CSR
Use the following OpenSSL command to create both the private key and CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
Follow the interactive prompts to enter your certificate information.
Security Notes
- Keep your private key file secure and never share it
- Use strong encryption and key lengths
- Store backup copies in secure locations
- Monitor certificate expiration dates