2 Ways to Generate CSR with OpenSSL Command

Table of Contents

A Certificate Signing Request (CSR) is the first step in setting up an SSL Certificate on our website. This is a quick guide on how to generate a CSR using OpenSSL Command.

Generate an RSA Private Key and CSR

We can use the following two commands to generate private key and CSR.

  • openssl genrsa -out privateKey.key 2048
  • openssl req -new -key privateKey.key -out CSR.csr

Generate an RSA Private Key and CSR in one command

We can use the following one command to generate both the private key and the CSR. It is advised to issue a new private key each time we generate a CSR.

openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr

  • openssl – activates the OpenSSL software
  • req – indicates that we want a CSR
  • –new –newkey – generate a new key
  • rsa:2048 – generate a 2048-bit RSA mathematical key
  • –nodes – no DES, meaning do not encrypt the private key in a PKCS#12 file
  • –keyout – indicates the domain we are generating a key for
  • –out – specifies the name of the file our CSR will be saved as

Enter our CSR Information

Our system should launch a text-based questionnaire for us to fill out. We will get our CSR file in the current directory.

Enter our information in the fields as follows:

  • Country Name – use a 2-letter country code (US for the United States)
  • State – the state in which the domain owner is incorporated
  • Locality – the city in which the domain owner is incorporated
  • Organization name – the legal entity that owns the domain
  • Organizational unit name – the name of the department or group in our organization that deals with certificates
  • Common name – typically the fully qualified domain name (FQDN), i.e. what the users type in a web browser to navigate to our website
  • Email address – the webmaster’s email address
  • Challenge password – an optional password for our key pair

We can use this command to skip the interactive input.

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key -subj “/C=US/ST=Florida/L=Saint Petersburg/O=Your Company, Inc./OU=IT/CN=yourdomain.com”

Example of CSR file

CSR file is a common plain-text file. We can use more or cat commands in Linux to check the content of the CSR file.

The file would start with “—–BEGIN CERTIFICATE REQUEST—–” and end with “—–END CERTIFICATE REQUEST—–“.

—–BEGIN CERTIFICATE REQUEST—–
MIICtzCCAZ8CAQAwcjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
ETAPBgNVBAcMCFNhbiBKb3NlMRwwGgYDVQQKDBNDaXNjbyBTeXN0ZW1zLCBJbmMu
MR0wGwYDVQQDDBRwb3N0Z3Jlc3FsLndlYmV4LmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAJSaam4qncuwjNN41vHtHGMAmS1PrGA2YZyh97bOXGav
4tFKyo0dFzycWYjqCpC+fD4HdwLPI3D7yrE67T+mAt4a7W92boccxCOXHRt5LAzu
qlPPr9onfLfX6/d8fB6THAnzPWz2tNRmD7tj1iRZ0zkVoCAG08AZBfzx7/pMutY2
B6j+uJSX8IFiGcUPtNzKNJ2BXQO5t8/c0HaJoZkBf98dOfNiWRDQcq12MmlHVLe8
QsoIeKxTK6nPPTOYa7FzF+9s9GNa8dUYacCrwDPphqRNegXd/NAxzSR5NrXC1UOJ
HEQ/xDcRC1GDG7xI9x10MgsbCPfmovBZXDZMvD3Ql3sCAwEAAaAAMA0GCSqGSIb3
DQEBCwUAA4IBAQAjRQLr0nde5+cVFjQwi29XS4Sm2N62rLnDtSSC5FQeze4yTASz
PaIIKxmYKt5gO6nNtDoy/zubIEiaCv+hY7PDYQChhHzXnn6VLYhrV+dloa/oxTsz
jKoUih+Tn04OlwmlC8Fg7HgixXsm7YDWv6scpi9FfDFvyYyqiHe/G5s6GXI0+wtr
9B1GUelQ014/wdOAOYHe1AnHNZLoK7N2C7coxtqKUMj+gO757tSOs20om04BA1vs
NY/C7m5efjEN9+QwWNfIkVV+Gd3iYTkvUdB+IeXdSfYjZbQBOYDkH/DNBz1UJ0w6
MuI2cv6rIsaXB9iq7jx6w3xALTSrHudNkGg8
—–END CERTIFICATE REQUEST—–

Verifying CSR Information

After creating our CSR using our private key, we recommend verifying that the information contained in the CSR is correct and that the file hasn’t been modified or corrupted.

Use the following command to view the information in our CSR before submitting it to a CA.

openssl req -text -in your_domain.csr -noout -verify

The -noout switch omits the output of the encoded version of the CSR. The -verify switch checks the signature of the file to make sure it hasn’t been modified.

Submit the CSR to Certificate Authorities

We can open the .csr file in a text editor to find the alphanumeric code that was generated.

This text can be copied and pasted into a submittal form to request our SSL certificate from a Certificate Authority. Make sure we copy the entire text.

Related:

OpenSSL Command to Generate View Check Certificate

Understanding X509 Certificate with Openssl Command

Which SSH Key Is More Secure in Linux?

Table of Contents

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

You might also like