OpenSSL - Generate CSR
A Certificate Signing Request (CSR) is required when applying for an SSL certificate. This CSR (and private key) can be generated on your webserver. To request a wildcard certificate, fill in an * (asterisk) for the subdomain, for example *.sslcertificaten.nl (instead of www.sslcertificates.nl).
OpenSSL is a command line program for creating and managing certificates, which is often used by UNIX, Linux and BSD distributions. It has also been ported to Windows. It is used in combination with a lot of server products, among which Apache, Lighttpd, several routers and other hardware. In this manual, a description is given on how to use OpenSSL to create a RSA or EEC private key and CSR.
It is practical to save all files and keys in a central folder. The folder used for this purpose varies a lot depending on the distribution. As an example we use /etc/ssl/cert/ in this manual. It is extremely important that this folder is adequately protected!
It is advisable to log onto the server through SSH, so the CSR can easily be copied to the web browser to submit a request.
Generating the CSR with the openssl Command
Connect to the server by using an SSH connection and log in as a root user. Use the cd command to navigate to the folder in which the certificates should be saved:
CSR with RSA private key
The following command can be used to generate the SHA1 RSA Key and CSR:
openssl req -utf8 -nodes -newkey rsa:2048 -keyout www_sslcertificaten_nl.key -out www_sslcertificaten_nl.csr
For generating the CSR with a SHA2 hash, the -SHA256 tag is added to the command:
openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout www_sslcertificaten_nl.key -out www_sslcertificaten_nl.csr
CSR with ECC private key
When an ECC key is needed, it's required to enter two commands. One for generating the key, and the 2nd for the CSR:
openssl ecparam -out server.key -name prime256v1 -genkey
openssl req -new -key server.key -out server.csr
Fill in CSR fields
- Note: Replace www_sslcertificaten_nl with the domain name the certificate is applied for.
- You will now be asked to enter some data, which will be used for the application of the SSL certificate. It is vital for this information to correspond to the whois information of the domain name (which in turn has to correspond with the data at the Chamber of Commerce). For some fields, a standard value is displayed between brackets ( [standard value] )
- OpenSSL generates two files: the Private Key (with the name format www_sslcertificaten_nl.key) and the CSR (with the name format www_sslcertificaten_nl.csr)..
- Secure the certificate files so no one except the root user has access to it:
[root@server cert]# chmod 600 *.key *.csr
- The CSR can now be shown, using the cat-command::
[root@server cert]# cat www_sslcertificaten_nl.csr
- The fields Email Address, Optional company name and Challenge password can be left empty when applying for a web server certificate.
- Country Name (2 letter code) [AU]: NL
- State or Province Name (full name) [Some-State]: Noord-Holland
- Locality Name (eg, city) : Heerhugowaard
- Organization Name (eg, company) [Internet Widgits Pty Ltd]: Bedrijfsnaam
- Organizational Unit Name (eg, section) : ICT
- Common Name (eg, YOUR name) : www.sslcertificaten.nl
- Email Address :
- A challenge password :
- An optional company name :
- For the Common Name (CN) you should enter the name of the web server the same way the client will address it. In most cases this will be the full domain name, such as for example: www.yourdomainnamehere.nl
- Note: Do not let yourself be confused by the (eg, YOUR name). You should NOT enter your own name here.
- When prompted to enter a challenge password, you can skip this step right away by pressing enter. If you do enter a challenge password, you will at all times be prompted to enter it when starting the web server.
To order a certificate, copy the entire contents of the generated CSR, including the first and last line and all dashes.