Tags for this FAQ item:
Apache CSR Lighttpd NGinx OpenSSL

Help us by rating this article!

Rated 5 stars, based on 4 votes

OpenSSL - Generate SSL certificate request (CSR)

Last updated: 04/12/2016

OpenSSL is a suite of security tools for Linux, Unix, FreeBSD and OpenBSD distributions. OpenSSL's swiss army knife is the aptly named openssl command-line utility that allows you to manage certificates and generate private keys.

The first step to generate a certificate request is to generate your private key to sign the request with. It is this private key that allows the server to be identified. If you don't have a private key yet, which is the case if you're aiming to install a certificate on the server for the first time, private key and certificate request can be generated in a single step.

Connect to your server using the SSH (Secure Shell) protocol. Windows doesn't have a built-in SSH client, Kinamo recommends you download the free and popular PuTTY client. If you're working on a Mac OS X or Linux desktop, you simply open a terminal window and type in the following command, taking care to replace the servername with the hostname or IP address of your own server.

ssh -l root server.com

After typing in your password, you'll be connected to the server. SSL certificates, keys and CSR's are usually kept in a single directory on your server, but the exact folder may vary according to your distribution. For illustration purposes, we'll be using /etc/ssl/certs in this article.

Go to your certificate directory:

[root@server ~]# cd /etc/ssl/certs
[root@server certs]#

If you need to generate a private key yet, type the following command at the prompt:

[root@server certs]# openssl req -sha256 -nodes -newkey rsa:2048 -keyout www.server.com.key -out www.server.com.csr

Do not forget to replace www.server.com with your own server name, unless you happen to be the luck owner of server.com, of course.

Alternatively, should you wish to make use of bleeding edge ECC (Ellyptical Curve Cryptography) encryption instead of RSA, execute the following commands, first to generate your ECC private key, then to create a CSR signed by your ECC key:

[root@server certs]# openssl ecparam -out www.server.com.key -name prime256v1 -genkey
[root@server certs]# openssl req -new -key www.server.com.key -out www.server.com.csr

If you had a private key from an earlier certificate, which is the case if you want to renew or reissue your certificate, use the following command:

[root@server certs]# openssl req -new -sha256 -key www.server.com.key -out www.server.com.csr

There's an even shorter way of generating a certificate request based on an old certificate, if that's what you aim to do:

[root@server certs]# openssl x509 -x509toreq -in www.server.com.crt -out www.server.com.csr -signkey www.server.com.key

You'll be presented with a dialog that asks you to input all relevant information for your certificate request. You should be careful to enter your company information in exactly the same way it is displayed in WHOIS records for your domain name, and that it corresponds with your company data as entered in your country's company registry at incorporation.

Generating a 2048 bit RSA private key
.....................+++
...................................+++
writing new private key to 'www.server.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:BE
State or Province Name (full name) []:Antwerpen
Locality Name (eg, city) [Default City]:Antwerpen
Organization Name (eg, company) [Default Company Ltd]:Kinamo NV
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.server.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Replace the company data in the above example with yours, and insert the domain name you're requesting a certificate for under Common Name. In case you're requesting a wildcard, the domain name should be *.server.com.

You can check whether you entered the correct data in your CSR with the following command:

[root@server certs]# openssl req -in www.server.com.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=BE, ST=Antwerpen, L=Antwerpen, O=Kinamo NV, CN=www.server.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d0:e1:e4:87:0a:82:6c:7d:4b:75:40:cf:91:b1:
                    21:81:9c:90:6e:b6:63:f4:4e:d6:40:7d:b1:3b:1b:
                    30:78:04:bf:3c:fc:32:c1:24:49:8b:7b:d3:d7:19:
                    2e:4b:9a:d1:54:c2:44:2a:7c:08:ba:39:bf:28:62:
                    e8:f7:bf:70:1c:c0:6c:0b:88:b9:24:af:8d:11:0a:
                    b5:7b:1f:b5:d5:ed:4a:56:8f:61:d3:d5:26:97:fa:
                    ab:5f:68:6b:1d:74:4e:af:80:f1:d9:a0:9d:e1:e3:
                    9d:4e:86:8d:51:ba:c3:f4:f3:49:df:1a:06:f1:b8:
                    a5:29:91:9d:7f:9c:3b:43:43:c5:bf:b0:5a:eb:35:
                    aa:3f:9a:45:a5:ad:f4:65:de:5c:d2:c0:cc:b6:e0:
                    b8:d9:ed:50:99:1f:ed:ca:bb:ef:b8:1c:c8:c0:84:
                    16:1f:35:11:fb:34:7b:99:02:9d:8e:7c:04:3d:fc:
                    0b:60:28:f8:a3:4d:ba:dc:c8:d3:a7:6a:6c:79:cf:
                    1a:6d:95:43:9d:c3:65:da:73:fc:53:22:1d:56:50:
                    11:02:79:5a:f6:58:4f:c0:e7:b0:50:51:72:37:50:
                    c8:d6:20:e0:cc:65:df:f0:fe:ea:80:15:cb:88:19:
                    9b:14:4f:58:5b:3c:fe:2c:48:09:dc:dc:53:62:a1:
                    ab:b9
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         09:75:3e:03:e6:14:39:2f:45:d7:51:26:ce:67:93:48:d6:da:
         5a:82:35:fe:0a:dc:d3:b7:31:a4:8b:8e:c2:a8:c8:ca:cb:0d:
         97:60:bc:bb:eb:2e:3c:d0:5d:b9:5e:c7:3e:31:13:28:4d:09:
         6a:71:d1:b4:9b:8e:bd:84:33:85:03:7d:1f:4d:44:b4:16:cf:
         39:6a:cc:d8:de:ae:ba:22:9e:9b:be:c6:bc:03:5b:77:d6:f3:
         2e:f2:4f:93:ad:af:96:14:c4:67:84:70:b9:ea:26:38:19:70:
         4d:12:3c:91:f7:5b:a7:05:e8:34:92:5d:5b:05:a3:d5:10:cd:
         38:4d:28:44:32:23:82:99:52:a5:37:93:ae:3b:49:dd:8f:44:
         74:1b:36:a6:2b:61:70:d3:9e:fc:2d:f9:9b:48:de:d2:ae:94:
         80:d3:be:e6:76:23:99:29:24:67:4d:b1:75:a9:0f:1f:6c:c8:
         15:5a:9d:b5:a4:b6:04:4f:45:10:96:42:e8:1f:00:b8:00:1b:
         07:8a:cd:4a:f9:9e:87:99:fc:9a:0a:ec:22:c5:51:3a:96:97:
         fd:89:a4:c2:a6:be:31:11:96:76:e8:5b:65:1d:b3:78:9d:aa:
         f6:4d:bb:04:ad:59:a8:c3:35:b2:50:0a:d9:17:58:db:ef:71:
         8e:1c:79:41

Print out the contents of the certificate request file to your screen:

[root@server certs]# cat www.server.com.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICozCCAYsCAQAwXjELMAkGA1UEBhMCQkUxEDAOBgNVBAgMB0FudHdlcnAxEDAO
BgNVBAcMB0FudHdlcnAxEjAQBgNVBAoMCUtpbmFtbyBOVjEXMBUGA1UEAwwOd3d3
LnNlcnZlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhdEF7
Dj/6KHLqY/5+5tN+NHRG0Mo+sWCtlmJ707yzYnqQAc7+ilVfBNWdlX68I/gTsgdp
QlojCRiqtXLFFNB0pvWOYUsvfk/1bcDww7MgbrDFYP0jGEO2L9OF+0UhZ94kgyeF
jkxtJSLXcfKNjbjgx8h4motMkYiwB/Ovg+dmPBo4uyvKZFNEV23zMaYvPFKItryl
lWkoHt71UIfXGIuoRXo4wPzkz4fyBveu1xun7TshyTaZXf6H+F643P8i0KqNg7f+
ZTjO0dKek58XN5VvjWzfKyolraRFrxek3vLqNCmuBXptdhQOOCaWXZrXd0s6vz8N
N+xerzw2jCeXY/kDAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAK3KXIyW7Dt9R
63Bx6dVpdP7vMubPWR/uDRKQLAXoDca4ztRoADI1Y3VKBec6DsS6kkseK/pfdhLM
HxjE7rE/yGwYpfCV9KuGe7khEuaw/gS7EhHHLZZpyhuYLuTBoIKCJN6ucHPiyMHQ
eCJyUeuPuty3SsLM06PqHg6KBO2MAMiHZulIrheJjDWX017jP0mjkmyPNZ1sQ8Se
e3KcS0ghCpPKmwmtm7fjNEnB0LgcaEc2niDkL5IM2Ck0UYBD6JxdkNW5A+7cS9r9
ResC/vbhf8GGvOh+SWryO1ngoNAIxXv0WrEQJsfDjkuMAAbmWhJYjym9d6IzKHBF
ZZ8MjgW5EQ==
-----END CERTIFICATE REQUEST-----

Copy the full text of the CSR, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines and their dashes, and paste the contents into Kinamo's certificate request form.

Please note that Kinamo offers you a free tool to generate a CSR without OpenSSL hassle: the Kinamo SSL Generator. The tool generates your CSR and a corresponding private key for you. Don't forget to save the latter on your server: if you don't, your SSL certificate will be unusable.