This article will show you how to manually generate a Certificate Signing Request (or CSR) in an Apache or Nginx web hosting environment using OpenSSL.
This process has two steps: creation of a private key, then creating the CSR itself. Manual creation of these items is performed in a terminal window, using commands as detailed below. Both of these items will be saved as text files.
Create an RSA Private Key
Creating your private key will require entering the command string itself, the location and file name you wish to use, and the key strength.
1. Type the following command in an open terminal window on your computer to generate your private key using SSL:
$ openssl genrsa -out /path/to/www_server_com.key 2048
This will invoke OpenSSL, instruct it to generate an RSA private key using the DES3 cipher, and send it as an output to a file in the same directory where you ran the command.
Hit Enter to generate your private key. You will be informed that your private key is being generated, then prompted for a pass phrase. Create and verify your pass phrase here – note that the characters you are typing will not be displayed. Make sure to note this pass phrase – you’ll be using it again.
Create an ECDSA Private Key
Creating an Elliptic Curve Digital Signature Algorithm private key will require you to select a curve parameter to be used. You can do this with these steps:
1. Type the following command in an open terminal window on your computer to display the list of curves supported by your version of OpenSSL.
$ openssl ecparam -list_curves
This will result in a long list of available curves for you to choose from. Copy the name of your selection to have it ready for the next step.
2. Once you have selected a curve, then you can use the following command to create the private key file:
$ openssl ecparam -name CURVE -genkey -noout -out /path/to/www_server_com.key
Be sure to replace the word “CURVE” with the name of the curve that you selected. After running that command, you will be promoted for a passphrase, which must be provided any time you use the key. Be sure that you record this phrase in a secure location. After providing the passphrase, you will have created an ECDSA private key. Now, you can use that key to make a CSR.
Generating the CSR
Generating the CSR requires another string of commands, the location and file name of your newly-created key, and a path and file name for your CSR. You will also be prompted for information to populate the CSR.
1. At the command line, type:
$ openssl req -new -key /path/to/www_server_com.key -out /path/to/www_server_com.csr
This will fire up OpenSSL, instruct it to generate a certificate signing request, and let it know to use a key we are going to specify – the one we just created, in fact.
2. Enter your pass phrase when prompted. Again, the pass phrase is not displayed as you type. Hit Enter when done.
3. You will now be prompted to enter the information which will be incorporated into your CSR. This information is also known as the Distinguished Name, or DN. Some fields are required, while others are optional and can be left blank.
Hit Enter to move forward through each item:
- The Country Name is mandatory and takes a two-letter country code.
- The State or Province Name field requires a full name – do not use an abbreviation.
- The Locality Name field is for your city or town.
In the Organization Name field, add your company or organization.
- Organizational Unit Name is an optional field for your department or section.
- The Common Name field is used for the Fully Qualified Domain Name (FQDN) of the website this certificate will protect.
- Email address is an optional field for this request. (You can hit Enter to skip forward.)
- The challenge password and optional company name fields are optional and can be skipped as well.
Upon completion of this process, you will be returned to a command prompt. Again, you will not receive any notification that your CSR was successfully created.
Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.