Articles in this section

See more

Generate CSR for SSL Certificate

Avatar
Doug Mason
  • Updated

Install OpenSSL

OpenSSL is used to generate the key file and CSR for your certificate. This is a common package and is available on all of the major Linux distributions through their package installers. You will also be able to find installers for MAC and Windows. This tutorial outlines the step with Linux.

To check whether it is installed on a system that uses yum (such as CentOS or Red Hat Enterprise Linux), run the following command.

rpm -qa | grep -i openssl

The preceding command should return the following or similar packages:

openssl-1.0.1e-48.el6_8.1.x86_64
openssl-devel-1.0.1e-48.el6_8.1.x86_64
openssl-1.0.1e-48.el6_8.1.i686

If these packages are not returned, install OpenSSL by running the following command:

yum install openssl openssl-devel

To check whether OpenSSL is installed in a Debian or Ubuntu system, run the following command:

dpkg -l |grep openssl

You should receive the following output.

ii  libgnutls-openssl27:amd64           2.12.23-12ubuntu2.4              amd64        GNU TLS library - OpenSSL wrapper
ii  openssl                             1.0.1f-1ubuntu2.16               amd64        Secure Sockets Layer toolkit - cryptographic utility

If you don’t see the expected output, install OpenSSL, run the following command:

apt-get install openssl

Generate the RSA key

Run the following commands to create a directory in which to store your RSA key, substituting a directory name of your choice:

mkdir ~/my_ssl/
cd ~/my_ssl/

Run the following command to generate a private key:

 my.domain.com.key should be changed to the domain used for your site such as files.example.com.key this will help identify it for later use. It will match the common name used in the next step.
openssl genrsa -out ~/my_ssl/my.domain.com.key 2048

Create a CSR

Type the following command to create a CSR with the RSA private key (output is in PEM format):

openssl req -new -sha256 -key ~/my_ssl/my.domain.com.key -out ~/my_ssl/my.domain.com.csr

When prompted, enter the necessary information for creating a CSR by using the conventions shown in the following table.

Note: The following characters cannot be used in the Organization Name or theOrganizational Unit: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&

DN field Explanation Example
Common Name The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL https://www.yourdomain.com, then your CSR’s common name must be www.yourdomain.com. If you plan to get a wildcard certificate, make sure to prefix your domain name with an asterisk, for example: *.domain.com.
Organization Name The exact legal name of your organization. Do not abbreviate your organization name. domain.com
Organizational Unit Section of the organization. IT
City or Locality The city where your organization is legally located. Wellesley Hills
State or Province The state or province where your organization is legally located. Do not use an abbreviation. Massachusetts
Country The two-letter ISO abbreviation for your country. US
Warning: Leave the challenge password blank (press Enter). Our appliance does not support a challenge password.

Verify your CSR

Run the following command to verify your CSR:

openssl req -noout -text -in ~/my_ssl/my.domain.com.csr
Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles