Manually Generate a Certificate Signing Request (CSR) Using OpenSSL

SSL Support Team

2 years ago

This tutorial will show you how to manually generate a Certificate Signing Request (or CSR) in an Apache or Nginx web hosting environment using OpenSSL. Click here for a tutorial on ordering certificates, or here for more information on how to install your new SSL.com certificate.

For more helpful how-tos and the latest in cybersecurity news, sign up for SSL.com’s newsletter here:

Video

What is OpenSSL?
OpenSSL is a very useful open-source command-line toolkit for working with X.509 certificates, certificate signing requests (CSRs), and cryptographic keys. If you are using a UNIX variant like Linux or macOS, OpenSSL is probably already installed on your computer. If you would like to use OpenSSL on Windows, you can enable Windows 10’s Linux subsystem or install Cygwin.

In these instructions, we’re going to use OpenSSL’s req utility to generate both the private key and CSR in one command. Generating the private key in this way will ensure that you will be prompted for a pass phrase to protect the private key. In all command examples shown, replace the filenames shown in ALL CAPS with the actual paths and filenames you want to use. (For example, you might replace PRIVATEKEY.key with /private/etc/apache2/server.key in a macOS Apache environment.) This how-to covers generation of both RSA and ECDSA keys.

SSL.com provides a wide. variety of SSL/TLS server certificates for HTTPS websites.

COMPARE SSL/TLS CERTIFICATES

RSA

The OpenSSL command below will generate a 2048-bit RSA private key and CSR:

openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr

Let’s break the command down:

openssl is the command for running OpenSSL.
req is the OpenSSL utility for generating a CSR.
-newkey rsa:2048 tells OpenSSL to generate a new 2048-bit RSA private key. If you would prefer a 4096-bit key, you can change this number to 4096.
-keyout PRIVATEKEY.key specifies where to save the private key file.
-out MYCSR.csr specifies where to save the CSR file.
With these last two items, remember to use your own paths and filenames for the private key and CSR, not the placeholders.

After typing the command, press enter. You will be presented with a series of prompts:

First create and verify a pass phrase. Remember this pass phrase because you will need it again to access your private key.
You will now be prompted to enter the information which will be included into your CSR. This information is also known as the Distinguished Name, or DN. The Common Name field is required by SSL.com when submitting your CSR, but the others are optional. If you would like to skip an optional item, simply type enter when it appears:
- The Country Name (optional) takes a two-letter country code.
- The Locality Name field (optional) is for your city or town.
- The Organization Name field (optional) is for the name of your company or organization.
- The Common Name field (required) is used for the Fully Qualified Domain Name (FQDN) of the website this certificate will protect.
- Email Address (optional)
- The Challenge Password field is optional and can be skipped as well.

Upon completion of this process, you will be returned to a command prompt. You will not receive any notification that your CSR was successfully created.

Go to top

ECDSA

To create an ECDSA private key with your CSR, you need to invoke a second OpenSSL utility to generate the parameters for the ECDSA key.

This OpenSSL command will generate a parameter file for a 256-bit ECDSA key:

openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ECPARAM.pem

openssl genpkey runs openssl’s utility for private key generation.
-genparam generates a parameter file instead of a private key. You could also generate a private key, but using the parameter file when generating the key and CSR ensures that you will be prompted for a pass phrase.
-algorithm ec specifies an elliptic curve algorithm.
-pkeyopt ec_paramgen_curve:P-256 chooses a 256-bit curve. If you prefer a 384-bit curve, change the portion after the colon to P-384.
-out ECPARAM.pem provides a path and filename for the parameter file.

Now, specify your parameter file when generating the CSR:

openssl req -newkey ec:ECPARAM.pem -keyout PRIVATEKEY.key -out MYCSR.csr

The command is the same as we used in the RSA example above, but -newkey RSA:2048 has been replaced with -newkey ec:ECPARAM.pem. As before, you will be prompted for a pass phrase and Distinguished Name information for the CSR.

If you wish, you can use redirection to combine the two OpenSSL commands into one line, skipping the generation of a parameter file, as follows:

openssl req -newkey ec:<(openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256) -keyout PRIVATEKEY.key -out MYCSR.csr

Next Steps

For more information on installing your certificate, read here, for binding with IIS 10, read here.

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.