Site icon SSL.com

Manually Generate a Certificate Signing Request (CSR) Using OpenSSL

This tutorial will show you how to manually generate a Certificate Signing Request (or CSR) in an Apache or Nginx web hosting environment using OpenSSL. Click here for a tutorial on ordering certificates, or here for more information on how to install your new SSL.com certificate.

For more helpful how-tos and the latest in cybersecurity news, sign up for SSL.com’s newsletter here:

Video

What is OpenSSL?
OpenSSL is a very useful open-source command-line toolkit for working with X.509 certificates, certificate signing requests (CSRs), and cryptographic keys. If you are using a UNIX variant like Linux or macOS, OpenSSL is probably already installed on your computer. If you would like to use OpenSSL on Windows, you can enable Windows 10’s Linux subsystem or install Cygwin.

In these instructions, we’re going to use OpenSSL’s req utility to generate both the private key and CSR in one command. Generating the private key in this way will ensure that you will be prompted for a pass phrase to protect the private key. In all command examples shown, replace the filenames shown in ALL CAPS with the actual paths and filenames you want to use. (For example, you might replace PRIVATEKEY.key with /private/etc/apache2/server.key in a macOS Apache environment.) This how-to covers generation of both RSA and ECDSA keys.

SSL.com provides a wide. variety of SSL/TLS server certificates for HTTPS websites.

COMPARE SSL/TLS CERTIFICATES

RSA

The OpenSSL command below will generate a 2048-bit RSA private key and CSR:

openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr

Let’s break the command down:

After typing the command, press enter. You will be presented with a series of prompts:

Upon completion of this process, you will be returned to a command prompt. You will not receive any notification that your CSR was successfully created.

ECDSA

To create an ECDSA private key with your CSR, you need to invoke a second OpenSSL utility to generate the parameters for the ECDSA key.

This OpenSSL command will generate a parameter file for a 256-bit ECDSA key:

openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ECPARAM.pem

Now, specify your parameter file when generating the CSR:

openssl req -newkey ec:ECPARAM.pem -keyout PRIVATEKEY.key -out MYCSR.csr

The command is the same as we used in the RSA example above, but -newkey RSA:2048 has been replaced with -newkey ec:ECPARAM.pem. As before, you will be prompted for a pass phrase and Distinguished Name information for the CSR.

If you wish, you can use redirection to combine the two OpenSSL commands into one line, skipping the generation of a parameter file, as follows:

openssl req -newkey ec:<(openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256) -keyout PRIVATEKEY.key -out MYCSR.csr

Next Steps

For more information on installing your certificate, read here, for binding with IIS 10, read here. 

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.
Exit mobile version