How to Generate a CSR File

This article shows you how to generate and export the CSR (Certificate Signing Request) file needed for purchasing a signed certificate from a Certificate Authority (CA).

Solution

Step 1: Generate a Key Pair

The openssl utility is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere, you will need to adjust these instructions appropriately.

Type the following command at the prompt:

openssl genrsa -out www.mydomain.com.key 1024


This command generates a 1024 bit RSA private key and stores it in the www.mydomain.com.key file.

When prompted for a pass phrase, please ensure you are using an empty pass phrase (i.e. do not enter any pass phrase).

Step 2: Generate the CSR

Type the following command at the prompt:

openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr


This command will prompt for the following X.509 attributes of the certificate:

  • Country Name – use the two-letter code without punctuation for country, for example: US or CA.
  • State or Province – spell out the state completely; do not abbreviate the state or province name, for example: California
  • Locality or City – the Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis
  • Company – if your company or department has an &, @, or any other symbol using the Shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
  • Organizational Unit – this field is optional; but it can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on your keyboard.
  • Common Name – the Common Name is the Host + Domain Name. It looks like www.company.com or company.com.

SSL certificates can only be used on servers using the Common Name specified during enrollment. For example, a certificate for the domain domain.com will receive a warning if accessing a site named www.domain.com or secure.domain.com, because www.domain.com and secure.domain.com are different from domain.com.
 
A public / private key pair has now been created. The private key (www.domain.com.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (certrequest.csr), will be for certificate enrollment.

SSL CSR