Before you begin
OpenSSL is a command line program for creating and managing certificates that is widely used by UNIX, Linux and BSD distributions. OpenSSL is used in combination with many server products, including Apache, NginX, Lighttpd and various routers and other hardware. This manual describes how an RSA or ECC Private Key and CSR can be created with OpenSSL.
It is practical to store all files and keys centrally in a folder; the folder used for this can, however, vary considerably per distribution. As an example, this manual uses /etc/ssl/cert/. It is very important that this folder is well protected!
It is advisable to log in via SSH on the server, so that the CSR can easily be copied to a web browser to submit the application.
Create CSR with openssl command
Connect to the server using SSH and log in as root. Use the CD command to go to the folder where the certificates are to be stored:
cd/etc/ssl/cert/
CSR with RSA Private key
With the following command the Private Key and the CSR can be generated in SHA-2 format:
openssl req -utf8 -nodes -sha256 -newkey rsa: 2048 -keyout www_example_com.key -out www_example_com.csr
CSR with ECC Private key
If you want to use an Elliptic Curve Private Key, run the following commands:
openssl ecparam -out server.key -name prime256v1 -genkey openssl req -new -key server.key -out server.csr
Complete CSR fields
- Enter the data used to apply for the SSL Certificate. It is very important that this information matches the whois data of the domain name and the data of the organization as registered with the Chamber of Commerce. For some fields there is a default value, which is displayed between brackets.
([default value])- Country Name (2 letter code) [AU]: NL
- State or Province Name (full name) [Some-State]: South-Holland
- Locality Name (eg, city) []: Gouda
- Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company Name
- Organizational Unit Name (eg, section) []: ICT
- Common Name (eg, YOUR name) []: example.com
- Email Address []:
- An optional company name []:
As the Common Name (CN) you give the name of the web server as the client will address it. In most cases this is a full domain name such as: www.example.com
- OpenSSL generates two files: the Private Key (with the name www_example_com.key) and the CSR (with the name www_example_com.csr)
- Secure the certificate files so that no one except the root user can access them:
[root@server cert]# chmod 600 *.key *.csr
- Now the CSR can be displayed with the help of the cat command:
[root@server cert]# cat www_example_com.csr
- You can leave the e-mail address, optional company name and exchange password fields empty when applying for an SSL certificate.
Copy the entire contents of the generated CSR, including start and end lines, to order a certificate.