Table of Contents
1. What is CSR?
A Certificate Signing Request (CSR) is a block of encoded text generated on a server that contains a request for a digital certificate (SSL/TLS) from a Certificate Authority (CA).
The CSR carries your public key and identification information that the CA uses to verify your identity and issue a signed certificate.
Key Characteristics
- Contains: Public key, organization details, domain name, and extensions
- Format: PEM-encoded text (ASCII-based)
- Private Key: Stays secure on your server; never sent to CA
- Validity: CSR itself doesn’t expire; only the issued certificate does
- Usage: Submitted to CAs like DigiCert, Let’s Encrypt, Sectigo, Comodo, GlobalSign, etc.
2. Generate CSR with OpenSSL Command
Method 1: Interactive Generation (Basic)
openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr
Parameters explained:
req– Certificate request operationnew– Creates a new CSRnewkey rsa:2048– Generates a 2048-bit RSA private key (2048-bit = minimum; 4096-bit = recommended for high security)nodes– No encryption on the private key (essential for web servers)keyout your_domain.key– Output file for private keyout your_domain.csr– Output file for CSR
Method 2: Generate Private Key Separately, Then CSR
# Step 1: Generate private key
openssl genrsa -out your_domain.key 2048
# Step 2: Create CSR from the private key
openssl req -new -key your_domain.key -out your_domain.csr
Method 3: Non-Interactive Generation (Automation)
For CI/CD pipelines and scripting, use a configuration file to eliminate prompts:
openssl req -new -newkey rsa:2048 -nodes \\\\
-keyout your_domain.key \\\\
-out your_domain.csr \\\\
-config csr.conf
Or with command-line subjectAltName (single domain):
openssl req -new -newkey rsa:2048 -nodes \\\\
-keyout your_domain.key \\\\
-out your_domain.csr \\\\
-subj "/C=US/ST=California/L=San Francisco/O=Your Company/CN=example.com"
Method 4: Generate with Extended Key Usage & Key Encipherment
openssl req -new -newkey rsa:2048 -nodes \\\\
-keyout your_domain.key \\\\
-out your_domain.csr \\\\
-subj "/C=US/ST=California/L=San Francisco/O=Your Company/CN=example.com" \\\\
-addext "keyUsage=digitalSignature,keyEncipherment" \\\\
-addext "extendedKeyUsage=serverAuth"
3. CSR Information Fields (Enter Your Data)
When generating a CSR interactively, you’ll be prompted for these fields:
Required Fields:
| Field | Code | Example | Notes |
|---|---|---|---|
| Country Name | C | US | 2-letter ISO country code |
| State or Province | ST | California | Full state name (not abbreviation) |
| Locality/City | L | San Francisco | Your organization’s city |
| Organization Name | O | Your Company Inc. | Legal business name |
| Common Name | CN | www.example.com | MOST IMPORTANT – Your domain FQDN |
Optional Fields:
| Field | Code | Example | Notes |
|---|---|---|---|
| Organizational Unit | OU | IT Department / Engineering | Department or division |
| Email Address | [email protected] | Contact email (optional) |
Critical Notes on CN (Common Name):
- Must match your domain exactly (e.g.,
example.comorwww.example.com) - Wildcards supported for subdomains:
.example.com - Mismatch with actual domain causes browser warnings
- Modern browsers require CN + SAN (Subject Alternative Name)
Example Interactive Session:
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: California
Locality Name (eg, city) []: San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Cisco Systems
Organizational Unit Name (eg, section) []: Security Team
Common Name (eg, your name or your server hostname) []: example.com
Email Address []: [email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (leave blank)
An optional company name []: (leave blank)
4. Advanced CSR Features: Subject Alternative Names (SAN)
What is SAN?
Subject Alternative Name (SAN) allows a single certificate to secure multiple domains, subdomains, and even IP addresses. Modern browsers (Chrome, Firefox) require SAN; CN alone is insufficient.
Why Use SAN?
- ✅ Secure multiple domains with one certificate
- ✅ Support subdomains:
www.example.com,api.example.com,mail.example.com - ✅ Include IP addresses if needed:
192.168.1.1 - ✅ Modern CA requirement (most CAs auto-add CN to SAN list)
Create Configuration File for SAN CSR (csr.conf)
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
C = US
ST = California
L = San Francisco
O = Example Organization
OU = IT Department
CN = example.com
emailAddress = [email protected]
[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = api.example.com
DNS.4 = mail.example.com
DNS.5 = *.example.com
IP.1 = 192.168.1.1
IP.2 = 10.0.0.5
Generate CSR with SAN
openssl req -new -newkey rsa:2048 -nodes \\\\
-keyout example.key \\\\
-out example.csr \\\\
-config csr.conf
Command-Line SAN Generation (Without Config File)
openssl req -new -newkey rsa:2048 -nodes \\\\
-keyout example.key \\\\
-out example.csr \\\\
-subj "/C=US/ST=California/L=San Francisco/O=Example/CN=example.com" \\\\
-addext "subjectAltName=DNS:example.com,DNS:www.example.com,DNS:api.example.com,IP:192.168.1.1"
5. CSR File Format
PEM Format (Standard)
CSR files are generated in PEM format by default. This is a text-based, base64-encoded format accepted by all major CAs.
Example CSR file (example.csr):
-----BEGIN CERTIFICATE REQUEST-----
MIICrTCCAZUCAQAwaDELMAkGA1UEBhMCVVMxCzAJBgNVBAgDAkNBMRYwFAYDVQQH
DA1TYW4gRnJhbmNpc2NvMRgwFgYDVQQKDA9FeGFtcGxlIE9yZ2FuaXphdGlvbjEQ
MA4GA1UECwwHSVQgVGVhbTEVMBMGA1UEAwwMZXhhbXBsZS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ5K3mQ8z7W8zW4xBWf3xA7zx+z8U+z8xQ
7xBWV8z7W8zW4xBWf3xA7zx+z8U+z8xQ7xBWf3xA7zx+z8U+z8xQ7xBWf3xA7zx+
z8U+z8xQ7xBWf3xA7zx+z8U+z8xQ7xBWf3xA7zx+z8U+z8xQ7xBWf3xA7zx+z8U+
z8xQ7wIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAJbDkXgN5qU8mVYjQ9MX3vNg
+8U+z8xQ7xBWf3xA7zx+z8U+z8xQ7xBWf3xA7zx+z8U+z8xQ7xBWf3xA7zx+z8U+
z8xQ7xBWf3xA7zx+z8U+z8xQ7xBWf3xA7zx+z8U+z8xQ7xBWf3xA7zx+z8U+z8xQ
7xBWf3xA7zx+z8U+z8xQ7xBWf3xA7zx+z8U+z8xQ7xBWf3xA7zx+z8U+z8xQ7xBW
f3xA7zx+z8U=
-----END CERTIFICATE REQUEST-----
File Format Characteristics:
- Starts with:
----BEGIN CERTIFICATE REQUEST----- - Ends with:
----END CERTIFICATE REQUEST----- - Base64-encoded content in between
- Text-based (can be opened in any text editor)
- Universally supported by all CAs
DER Format (Binary Alternative)
Some applications require DER format (binary). Convert PEM to DER:
See also: Mastering the Linux Command Line — Your Complete Free Training Guide
openssl req -in example.csr -outform DER -out example.der
Convert DER back to PEM:
openssl req -in example.der -inform DER -out example.csr
6. Verify CSR Information with OpenSSL
View CSR Details in Human-Readable Format
openssl req -in your_domain.csr -noout -text
Sample output:
Certificate Request:
Data:
Version: 0 (0x0)
Subject:
C = US
ST = California
L = San Francisco
O = Example Organization
OU = IT Department
CN = example.com
emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a3:7d:f2:5c:1a:b8:c3:4e:f1:2a:3b:4c:5d:6e:
...
Exponent: 65537 (0x10001)
Requested Extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com, DNS:api.example.com, IP Address:192.168.1.1
Extract Just the Public Key
openssl req -in your_domain.csr -noout -pubkey
Verify CSR Matches Private Key
Ensure the CSR was signed with the correct private key:
# Get modulus from CSR
openssl req -noout -modulus -in your_domain.csr | openssl md5
# Get modulus from private key
openssl rsa -noout -modulus -in your_domain.key | openssl md5
If they match, the CSR and key are a valid pair. Output example:
MD5(stdin)= a1b2c3d4e5f6789a0b1c2d3e4f5a6b7c
MD5(stdin)= a1b2c3d4e5f6789a0b1c2d3e4f5a6b7c
Check SAN Details
openssl req -in your_domain.csr -noout -text | grep -A 1 "Subject Alternative Name"
Output:
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com, IP Address:192.168.1.1
7. CSR Validation Checklist
Before submitting to a CA, verify:
- ✅ PEM format – Starts with
----BEGIN CERTIFICATE REQUEST----- - ✅ Common Name – Matches your intended domain(s)
- ✅ Subject Alternative Names – Include all required domains/subdomains
- ✅ Key size – At least 2048 bits (preferably 4096)
- ✅ Private key secured – Protected and not shared with CA
- ✅ No typos – Organization, country, state, city info accurate
- ✅ Extensions present – keyUsage, extendedKeyUsage, SAN (if multi-domain)
8. Submit CSR to Certificate Authorities
Step-by-Step Submission Process
Step 1: Prepare the CSR
# Copy CSR content (entire file from BEGIN to END)
cat your_domain.csr
Step 2: Choose a Certificate Authority
Popular CAs:
- Let’s Encrypt – Free, automated renewals (ideal for testing/development)
- DigiCert – Premium, enterprise support
- Sectigo (formerly Comodo) – Affordable, widely trusted
- Comodo – Wide browser compatibility
- GlobalSign – High-assurance certificates
- Entrust – Government and enterprise solutions
Step 3: Navigate to CA’s CSR Upload Page
Most CAs have a web portal:
- Log in or create an account
- Select certificate type (DV, OV, or EV SSL)
- Paste CSR content in the “CSR” field
Step 4: Complete Domain Validation
Choose validation method:
| Method | Time | Difficulty |
|---|---|---|
| Email Validation | Minutes | Low – Check email |
| DNS TXT Record | 15-30 min | Medium – Add DNS record |
| HTTP File Upload | 15-30 min | Medium – Upload file to server |
Step 5: Receive Certificate
Once validated (minutes to hours):
- CA issues signed certificate (
.crtor.cerfile) - Download intermediate certificates (if needed)
- Download root certificate chain
Step 6: Install on Server
# For Apache
cp your_domain.crt /etc/ssl/certs/
cp your_domain.key /etc/ssl/private/
# Configure Apache SSL
# For Nginx
cp your_domain.crt /etc/nginx/ssl/
cp your_domain.key /etc/nginx/ssl/
# Configure Nginx SSL
# For others (IIS, Tomcat, etc.), follow CA/vendor documentation
9. Common CSR & SSL/TLS Errors & Troubleshooting
Error 1: Domain Mismatch
ERROR: Common Name (CN) in CSR doesn't match actual domain
Fix: Regenerate CSR with correct domain name in CN and SAN
Error 2: Missing SAN
ERROR: Certificate missing Subject Alternative Name extension
Fix: Regenerate CSR with SAN extension using config file
Error 3: CSR-Key Mismatch
ERROR: CSR not signed by the provided private key
Fix: Verify modulus match (see section 6); regenerate if mismatch
Error 4: Invalid PEM Format
ERROR: Unable to parse CSR – not valid PEM format
Fix: Ensure CSR starts with -----BEGIN CERTIFICATE REQUEST-----
Error 5: Wrong Key Size
ERROR: Key size below minimum (2048 bits required)
Fix: Regenerate CSR with -newkey rsa:2048 or higher
Error 6: Expired Certificate (After Installation)
ERROR: SSL certificate expired on [date]
Fix: Generate new CSR and request renewal from CA
Error 7: Untrusted Certificate (Self-Signed)
ERROR: Certificate is self-signed, not from trusted CA
Fix: Submit CSR to trusted CA; self-signed OK only for testing
Error 8: Incomplete Certificate Chain
ERROR: Browser shows "certificate chain incomplete"
Fix: Install intermediate certificates between server and root CA
Diagnostic Command:
# Check installed certificate and chain
openssl s_client -connect example.com:443 -showcerts
# Check certificate dates
openssl x509 -in your_domain.crt -noout -dates
# Verify certificate signature
openssl verify -CAfile ca-bundle.crt your_domain.crt
10. Advanced OpenSSL Config File Template (csr.conf)
Save this as a template for future use:
# ============================================================================
# OpenSSL Certificate Signing Request (CSR) Configuration File
# Usage: openssl req -new -newkey rsa:2048 -nodes -keyout server.key \\\\
# -out server.csr -config csr.conf
# ============================================================================
[ req ]
default_bits = 2048 # RSA key size (2048 or 4096)
default_md = sha256 # Hashing algorithm
distinguished_name = req_distinguished_name # Subject fields
req_extensions = v3_req # Extensions section
prompt = no # No interactive prompts
# Distinguished Name (DN) - Subject Information
[ req_distinguished_name ]
C = US # Country (2-letter code)
ST = California # State/Province
L = San Francisco # Locality/City
O = Example Organization # Organization name
OU = IT Security Department # Organizational Unit
CN = example.com # Common Name (domain)
emailAddress = [email protected] # Email address
# Extensions - Additional CSR features
[ v3_req ]
basicConstraints = CA:FALSE # Not a CA certificate
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
# Subject Alternative Names (SAN) - Multiple domains
[ alt_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = api.example.com
DNS.4 = mail.example.com
DNS.5 = *.example.com
IP.1 = 192.168.1.1
IP.2 = 10.0.0.5
11. Security Best Practices
Private Key Security:
- ✅ Keep private key on secure server only
- ✅ Use appropriate file permissions (600):
chmod 600 your_domain.key - ✅ Never email or transfer unencrypted
- ✅ Regular backups to secure location
- ❌ Never share with anyone, including CA
- ❌ Don’t store in version control (GitHub, etc.)
Certificate Lifecycle:
- ✅ Monitor expiration dates (set calendar reminders)
- ✅ Automate renewals where possible (Let’s Encrypt ACME)
- ✅ Keep intermediate/root certificates updated
- ✅ Test new certificates before deployment
Key Size Recommendations:
- Minimum: 2048-bit RSA (acceptable but aging)
- Recommended: 4096-bit RSA (better security margin)
- Future: ECDSA (Elliptic Curve) – more efficient, smaller keys
Hash Algorithm:
- ✅ SHA-256 – Industry standard (use this)
- ❌ SHA-1 – Deprecated, untrusted since 2016
12. Useful OpenSSL Commands Reference
# Generate private key only
openssl genrsa -out example.key 4096
# Generate CSR from existing key
openssl req -new -key example.key -out example.csr
# Generate CSR + key in one command
openssl req -new -newkey rsa:2048 -nodes -keyout example.key -out example.csr
# View CSR details
openssl req -in example.csr -noout -text
# Verify CSR and key match
openssl req -noout -modulus -in example.csr | openssl md5
openssl rsa -noout -modulus -in example.key | openssl md5
# Convert CSR from PEM to DER
openssl req -in example.csr -outform DER -out example.der
# Extract public key from CSR
openssl req -in example.csr -noout -pubkey
# Check certificate after installation
openssl x509 -in example.crt -noout -text
# Verify certificate chain
openssl verify -CAfile ca-bundle.crt example.crt
# Test SSL/TLS connection
openssl s_client -connect example.com:443 -showcerts
13. Summary & Quick Reference
| Task | Command |
|---|---|
| Generate CSR + Key | openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr |
| Generate CSR (existing key) | openssl req -new -key domain.key -out domain.csr |
| Non-interactive CSR | openssl req -new ... -config csr.conf |
| View CSR | openssl req -in domain.csr -noout -text |
| Verify CSR-Key match | openssl req -noout -modulus -in domain.csr \| openssl md5 AND openssl rsa -noout -modulus -in domain.key \| openssl md5 |
| Extract public key | openssl req -in domain.csr -noout -pubkey |
| Convert PEM to DER | openssl req -in domain.csr -outform DER -out domain.der |
| Test HTTPS | openssl s_client -connect example.com:443 |
References
[1] CloudNS – What is a CSR
[2] How to Use Linux – Generate CSR
[3] phoenixNAP – Generate CSR
[4] SSL.com – Manual CSR Generation
[5] GeeksforGeeks – CSR in Linux
[6] DigiCert – Create & Install CSR
[7] GoLinuxCloud – CSR with Examples
[8] Stack Exchange – CSR with SAN
[9] Cloudflare – SSL/TLS Common Errors
[10] SSL Dragon – SSL Certificate Errors
Related:
OpenSSL Command to Generate View Check Certificate
