Manually Generate a Certificate Signing Request (CSR) Using

This tutorial will show you how to manually generate a certificate signing request (or CSR) in an Apache or Nginx web hosting environment using OpenSSL. Click here for a tutorial on how to request certificates, or here for more information on how to install your new certificate SSL.com.

For more helpful instructions and the latest in cybersecurity news, subscribe to the SSL.com newsletter here:

Video

In these instructions, we’re going to use the OpenSSL req utility to generate both the private key and the CSR in a single command. Generating the private key in this way will ensure that you are prompted for a passphrase to protect the private key. In all of the commands examples listed, replace the file names displayed in UPPERCASE with the actual file names and paths that you want to use. (For example, you can replace PRIVATEKEY.key with /private/etc/apache2/server.key in a macOS Apache environment.) This procedure covers RSA and ECDSA key generation.

RSA

The following OpenSSL command will generate a 2048-bit RSA private key and CSR: openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr

Let’s analyze the command:

openssl is the command to run OpenSSL. req is the OpenSSL utility for generating a CSR. -newkey rsa:2048 tells

OpenSSL to generate a new 2048-bit

  • RSA private key

  • . If you prefer a 4096-bit key, you can change this number to 4096.
  • -keyout PRIVATEKEY.key specifies where to save the private key file.
  • -out MYCSR.csr specifies where to save the CSR file.
  • With these last two items, remember to use your own paths and file names for the private key and CSR, not the placeholders.

After typing the command, press enter. You will be presented with a series of prompts:

  • First create and verify a passphrase. Remember this passphrase because you will need it again to access your private key.
  • You will now be asked to enter the information that will be included in your CSR. This information is also known as distinguished name or DN. The Common Name field is required to SSL.com when submitting your CSR, but the others are optional. If you want to omit an optional item, simply type enter when it appears: The country name (optional) takes a two-letter country code. The Locality Name (optional) field is for your
      city or town. The

    • Organization Name (optional) field is for the name of your company or organization
    • . The common name (required) is used for the fully qualified domain name (FQDN) of the website that will protect this certificate. Email address (optional) The
    • Challenge Password field is optional and can also be omitted.

At the completion of this process, you will return to a command prompt. You will not receive any notification that your CSR was successfully created.

ECDSA

To create an ECDSA private key

with your CSR, you must invoke a second

OpenSSL utility to generate the parameters for the ECDSA key.

This OpenSSL command will generate

a parameter file for a 256-bit ECDSA key: openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ECPARAM.pem openssl

  • genpkey runs the openssl utility for private key generation
  • .

  • -genparam generates a parameter file instead of a private key. You can also generate a private key, but using the parameter file when generating the key and CSR ensures that you will be prompted for a passphrase.
  • -EC algorithm specifies an elliptic curve algorithm.
  • -pkeyopt ec_paramgen_curve:P-256 chooses a 256-bit curve. If you prefer a 384-bit curve, change the portion after the colon to P-384.
  • -out ECPARAM.pem provides a path and file name for the parameter file.

Now, specify your parameter file when generating the CSR

: openssl req -newkey ec:ECPARAM.pem -keyout PRIVATEKEY.key -out MYCSR.csr

The command is the same as we used in the RSA example above, but -newkey RSA:2048 has been replaced by -newkey ec:ECPARAM.pem. As before, you will be prompted for a passphrase and distinguished name information for the CSR.

If desired, you can use redirection to combine the two OpenSSL commands on one line, bypassing the generation of a parameter file, as follows

: openssl req -newkey ec:<(openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256) -keyout PRIVATEKEY.key -out MYCSR.csr

Next steps

For more information about installing the certificate, read here, to link to IIS 10, read here.