Generating a CSR Locally with OpenSSL

A CSR or Certificate Signing Request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. This article will walk you through generating a CSR on your server using OpenSSL.

OpenSSL is the de-facto standard for key and CSR generation on a webserver environment.  These CSR’s can then be handed to a Certificate Authority to obtain a SSL certificate to facilitate secure traffic to and from your server.  OpenSSL is free, open source, and secure, so it is the recommended solution to create your CSR’s from.

Prerequisites

A Linux server

Generating a CSR

First log into your server, and navigate to the directory you would like to generate the CSR in.  Once there, run the following:

openssl req -new -newkey rsa:2048 -nodes -keyout .key -out .csr

Be sure to replace in the above command with the appropriate domain name of the site you are creating a CSR for.  If everything looks good hit enter.

OpenSSL will then prompt you for some information which it incorporates into the generated CSR.  Answer these prompts to the best of your ability.  A run-down of the prompts and the answers they are looking for is provided below:

Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
  • Country Name is the country the CSR is being generated for.  This is required to be a two letter country code as denoted by ISO-3166, which is the best place to look if you are unsure what your country code is.
  • State or Province Name is pretty self explanatory, but it is important to note that the full province name is required.  As an example, do not use IA or TX, instead use Iowa or Texas.
  • Locality Name is the city or township in which you reside.
  • Organization Name is usually the name of the owner of the site, such as a business or other organization.
  • Organizational Unit Name is an optional field and can be left blank.  It is meant to be used to denote what department or sub-unit within an organization owns the site.
  • Common Name is the domain name of the site to be secured by a certificate.
  • Email Address is also optional, and is meant to denote the webmaster email for the website.

Next, OpenSSL will prompt you for a pass-phrase.  This is optional, but is recommended for better security.  Be sure to choose a phrase that is either easy for you to remember, or can be noted and stored securely.

OpenSSL will then generate a key-file and a .csr inside the directory the command was run in.  It will also then exit without output to the terminal.  When you see the command prompt return, you know the process is complete.  Now simply ‘ls’ to find your file.

Next Steps

Now that you have a CSR generated, you will want to bring it to a Certificate Authority to request a SSL certificate.  Follow the guidelines and instructions of your chosen Certificate Authority to obtain a certificate.