Create a certificate signing request (CSR)

Create a certificate signing request (CSR)

A Certificate Signing Request (CSR) is required to order an SSL certificate. Once you generated a CSR, a private key will also be generated on your web server. If you want to create a wildcard certificate, you need to submit an * (asterisk) as common name. For example; *.mydomain.com. To create a CSR, you can use the OpenSSL command for example.

Generating a CSR with the OpenSSL Command

1

For creating a CSR you must be logged in to the server via an SSH connection. Use the cd command to navigate to the folder in which the certificates should be saved:

cd /etc/ssl/certs/

CSR with RSA private key

1

The following command can be used to generate the CSR with SHA1:

openssl req -utf8 -nodes -newkey rsa:2048 -keyout www_domainname_com.key -out www_domainname_com.csr

2

For generating the CSR with a SHA2 hash, the -SHA256 tag is added to the command:

openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout www_domainname_com.key -out www_domainname_com.csr

CSR with ECC private key

1

When an ECC key is needed, it's required to enter two commands. One for generating the key, and the 2nd for the CSR:

openssl ecparam -out server.key -name prime256v1 -genkey

openssl req -new -key server.key -out server.csr

CSR for SAN/Multi domain

1

Create a copy of the existing config file. The existing OpenSSL config file will be located at /etc/ssl/openssl.cnf or /usr/lib/ssl/openssl.cnf. Use the cp command to make a copy of the config file (make sure the target directory exists)

cp /etc/ssl/openssl.cnf /home/name/multi_domain_site/

2

Edit the config file and enable [ v3_req ]

nano /home/name/multi_domain_site/openssl.cnf

3

Look for the [ req ] section in the file. Un-comment the following line: If you don’t see the line, add it under the [ req ]. This will direct OpenSSL to read the [ v3_req ] section.

4

Scroll down until you see [ v3_req ] and add the following line "subjectAltName = @alt_names", hhis will cause the config file to read alt names.

5

Create a new section [ alt_names ] at the bottom of the config file. Add SAN or DNS or Alt names in the format below

[ alt_names ]
DNS.1 = www.exampledomain.com
DNS.2 = test.exampledomain.com
DNS.3 = local.exampledomain.com
DNS.4 = viritual.exampledomain.com

6

Save the file and generate the private key

openssl genrsa -out domainname_com.key 2048

7

Generate the CSR

openssl req -new -key domainname_com.key -out domainname_com.csr -config openssl.cnf

Providing certificate details

Once you've executed either the RSA, ECC or multi domain method, you will now be asked to enter fields like the common name, company name, department, country name, and locality. The information given in the CSR needs to be correct and valid since it corresponds to the WHOIS information of the domain name and the Chamber of Commerce if applicable. The fields Email Address, Optional company name and challenge password can be left empty when applying for a web server certificate.

1

Country Name (2 letter code) [AU]: NL

2

State or Province Name (full name) [Some-State]: Overijssel

3

Locality Name (eg, city): Zwolle

4

Organization Name (eg, company) [Internet Widgits Pty Ltd]: Realtime Register B.V.

5

Organizational Unit Name (eg, section) []: IT

6

Common Name (eg, YOUR name) []: www.domainname.com

7

Email Address []: (optional)

8

A challenge password []: (optional)

9

An optional company name []: (optional)

• Now that you've successfully created your CSR, you can use it in a certificate request to order an SSL-certificate.