Manually Generate a Certificate Signing Request (CSR) Using OpenSSL


This article will show you how to manually generate a Certificate Signing Request (or CSR) in the Apache web hosting environment using OpenSSL.

What is OpenSSL?
OpenSSL is an open-source implementation of SSL/TLS used on approximately two-thirds of servers on the internet. Although many other methods exist to perform these steps on an Apache server, OpenSSL is the industry standard. For more information on OpenSSL, check out their website here.

This process has two steps: creation of a private key, then creating the CSR itself. Manual creation of these items is performed in a terminal window, using commands as detailed below. Both of these items will be saved as text files.


 

Create a Private Key

Creating your private key will require entering the command string itself, the location and file name you wish to use, and the key strength.

1) Type the following command in an open terminal window on your computer to generate your private key using SSL:

openssl genrsa -out /path/to/www_server_com.key 2048

This will invoke OpenSSL, instruct it to generate an RSA private key using the DES3 cipher, and send it as an output to a file in the same directory where you ran the command.

Hit Enter to generate your private key. You will be informed that your private key is being generated, then prompted for a pass phrase. Create and verify your pass phrase here – note that the characters you are typing will not be displayed. Make sure to note this pass phrase – you’ll be using it again.

 


Generating the CSR

Generating the CSR requires another string of commands, the location and file name of your newly-created key, and a path and file name for your CSR. You will also be prompted for information to populate the CSR.

1) At the command line, type:

openssl req -new -key /path/to/www_server_com.key -out /path/to/www_server_com.csr

This will fire up OpenSSL, instruct it to generate a certificate signing request, and let it know to use a key we are going to specify – the one we just created, in fact.

 

Note that a certificate signing request always has a file name ending in .csr.

 

2) Enter your pass phrase when prompted. Again, the pass phrase is not displayed as you type. Hit Enter when done.

3) You will now be prompted to enter the information which will be incorporated into your CSR. This information is also known as the Distinguished Name, or DN. Some fields are required, while others are optional and can be left blank.

Hit Enter to move forward through each item:

  • The Country Name is mandatory and takes a two-letter country code.
  • The State or Province Name field requires a full name – do not use an abbreviation.
  • The Locality Name field is for your city or town.
    In the Organization Name field, add your company or organization.
  • Organizational Unit Name is an optional field for your department or section.
  • The Common Name field is used for the Fully Qualified Domain Name (FQDN) of the website this certificate will protect.
  • Email address is an optional field for this request. (You can hit Enter to skip forward.)
  • The challenge password and optional company name fields are optional and can be skipped as well.

Upon completion of this process, you will be returned to a command prompt. Again, you will not receive any notification that your CSR was successfully created.

As always, if you have any questions about this process, just contact us at SSL.com