This tutorial will show you how to manually generate a Certificate Signing Request (or CSR) in an Apache or Nginx web hosting environment using OpenSSL. Click here for a tutorial on ordering certificates, or here for more information on how to install your new SSL.com certificate.
Video
OpenSSL is a very useful open-source command-line toolkit for working with X.509 certificates, certificate signing requests (CSRs), and cryptographic keys. If you are using a UNIX variant like Linux or macOS, OpenSSL is probably already installed on your computer. If you would like to use OpenSSL on Windows, you can enable Windows 10’s Linux subsystem or install Cygwin.
In these instructions, we’re going to use OpenSSL’s req
utility to generate both the private key and CSR in one command. Generating the private key in this way will ensure that you will be prompted for a pass phrase to protect the private key. In all command examples shown, replace the filenames shown in ALL CAPS with the actual paths and filenames you want to use. (For example, you might replace PRIVATEKEY.key
with /private/etc/apache2/server.key
in a macOS Apache environment.) This how-to covers generation of both RSA and ECDSA keys.
RSA
The OpenSSL command below will generate a 2048-bit RSA private key and CSR:
openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr
Let’s break the command down:
openssl
is the command for running OpenSSL.req
is the OpenSSL utility for generating a CSR.-newkey rsa:2048
tells OpenSSL to generate a new 2048-bit RSA private key. If you would prefer a 4096-bit key, you can change this number to4096
.-keyout PRIVATEKEY.key
specifies where to save the private key file.-out MYCSR.csr
specifies where to save the CSR file.- With these last two items, remember to use your own paths and filenames for the private key and CSR, not the placeholders.
After typing the command, press enter. You will be presented with a series of prompts:
- First create and verify a pass phrase. Remember this pass phrase because you will need it again to access your private key.
- You will now be prompted to enter the information which will be included into your CSR. This information is also known as the Distinguished Name, or DN. The Common Name field is required by SSL.com when submitting your CSR, but the others are optional. If you would like to skip an optional item, simply type enter when it appears:
- The Country Name (optional) takes a two-letter country code.
- The Locality Name field (optional) is for your city or town.
- The Organization Name field (optional) is for the name of your company or organization.
- The Organizational Unit Name (optional) is for your department or section.
- The Common Name field (required) is used for the Fully Qualified Domain Name (FQDN) of the website this certificate will protect.
- Email Address (optional)
- The Challenge Password field is optional and can be skipped as well.
Upon completion of this process, you will be returned to a command prompt. You will not receive any notification that your CSR was successfully created.
ECDSA
To create an ECDSA private key with your CSR, you need to invoke a second OpenSSL utility to generate the parameters for the ECDSA key.
This OpenSSL command will generate a parameter file for a 256-bit ECDSA key:
openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ECPARAM.pem
openssl genpkey
runs openssl’s utility for private key generation.-genparam
generates a parameter file instead of a private key. You could also generate a private key, but using the parameter file when generating the key and CSR ensures that you will be prompted for a pass phrase.-algorithm ec
specifies an elliptic curve algorithm.-pkeyopt ec_paramgen_curve:P-256
chooses a 256-bit curve. If you prefer a 384-bit curve, change the portion after the colon toP-384
.-out ECPARAM.pem
provides a path and filename for the parameter file.
Now, specify your parameter file when generating the CSR:
openssl req -newkey ec:ECPARAM.pem -keyout PRIVATEKEY.key -out MYCSR.csr
The command is the same as we used in the RSA example above, but -newkey RSA:2048
has been replaced with -newkey ec:ECPARAM.pem
. As before, you will be prompted for a pass phrase and Distinguished Name information for the CSR.
If you wish, you can use redirection to combine the two OpenSSL commands into one line, skipping the generation of a parameter file, as follows:
openssl req -newkey ec:<(openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256) -keyout PRIVATEKEY.key -out MYCSR.csr