How to Generate CSR With OpenSSL

Introduction

A Certificate Signing Request (CSR) is a cryptographic file generated on the server where you plan to install a certificate. It is the first step in setting up an SSL Certificate on your website.

The CSR contains information (such as the common name, organization, country, etc.) that the Certificate Authority (CA) uses to create the certificate. It also contains the public key that will be included in the certificate, and it is signed with the corresponding private key.

This guide will show you how to generate a Certificate Signing Request using OpenSSL.

How to generate a CSR with OpenSSL - a tutorial.

Prerequisites

Generate OpenSSL Certificate Signing Request 

Creating a CSR is a simple process that includes running a few commands and editing configuration on a Linux server. Follow the steps outlined below to create a CSR using OpenSSL.

Step 1: Check OpenSSL Version

The cryptographic algorithms used for generating keys and the supported protocols depend on the OpenSSL version. Knowing which OpenSSL version you have is especially important when troubleshooting possible issues.

The latest OpenSSL version at the time this article was written was 3.2.0. It supports Transport Layer Security (TLS) versions 1.0 to 1.3, while various cryptographic algorithms are deprecated due to security vulnerabilities.

Check your OpenSSL version by running the command below:

openssl version -a
Checking which openSSL version is installed on the system.

The -a flag displays complete version information, including the version number and version release date, the options built with the library, and the directory for storing certificates and private keys.

Step 2: Log Into Server

Open a terminal window and SSH into your remote server. Use the following syntax:

ssh [username]@[host_ip_address]

Note: If you are working locally, you don't need an SSH connection. To launch a terminal window on most Linux systems, press Ctrl+Alt+T or Ctrl+Alt+F1.

Step 3: Create RSA Private Key and CSR

Issue a new private key each time you generate a CSR. Use the syntax below to generate a private key and the CSR:

openssl req -new -newkey rsa:2048 -nodes -keyout [your_domain].key -out your_domain.csr

Replace [your_domain] with the actual domain for which you are generating a CSR.

In the above command:

  • openssl - activates the OpenSSL software.
  • req - indicates that we want a CSR.
  • -new -newkey - generates a new key.
  • rsa:2048 - generates a 2048-bit RSA mathematical key.
  • -nodes - no DES, meaning do not encrypt the private key in a PKCS#12 file.
  • -keyout - indicates the domain for which you are generating a key.
  • -out - specifies the name for saving the CSR file.

Note: Use 2048-bit key pairs. The 4096-bit key pairs are more secure, but they require a lot more server resources.

Step 4: Enter CSR Information

Your system should launch a text-based questionnaire for you to fill out.

Enter your information in the fields as follows:

  • Country Name - a 2-letter country code (US for the United States).
  • State - the state in which the domain owner is incorporated.
  • Locality - the city in which the domain owner is incorporated.
  • Organization name - the legal entity that owns the domain.
  • Organizational unit name - the name of the department or group in your organization that deals with certificates.
  • Common name - typically, the fully qualified domain name (FQDN), which users type in a web browser to navigate to your website.
  • Email address - the webmaster's email address.
  • Challenge password - an optional password for your key pair.

Please take into account that Organization Name and Unit Name must not contain the following characters:

< > ~ ! @ # $ % ^ * / \ ( ) ? . , &

For example:

Creating a CSR and providing the necessary information.

Step 5: Locate Certificate Signing Request File

After you provide the details and the software finishes creating the CSR file, you should be able to find it in your working directory.

You can also run the following command to find CSR files on your machine:

ls *.csr
Search for CSR files on the system.

The system should list all certificate signing requests on the system. The one that matches the domain name you provided in Step 2 appended with the .csr extension is the one you need to look into.

Step 6: Verify CSR Information

After creating the CSR file, verify that the information is correct and that no modifications were made to it.

Use the following syntax to view the contents of the CSR file before submitting it to a CA:

openssl req -text -in [file_name].csr -noout -verify

The -noout flag omits the output of the file, while the -verify flag checks the signature to ensure it has not been modified.

Verifying information in the CSR file.

The output states whether the file was verified and shows the information you provided when you created the CSR file. If any information is incorrect, create a new CSR file and fix the errors.

Step 7: Submit CSR as Part of Your SSL Request

To complete the process and submit the CSR as part of your SSL request, open the .csr file in a text editor and copy the alphanumeric code.

Use the following syntax to open the file in nano:

sudo nano [file_name].csr

You can copy and paste the text into a submittal form to request your SSL certificate from a Certificate Authority. Make sure to copy the entire text. Some CAs may allow you to upload the .csr file you generated. Below is an example of a CSR:

Copying CSR contents.

There is no need to send the private key to the CA. Once you get your SSL certificate, the private key on the server will bind with it to encrypt the communication.

How to Verify Certificate Information from CA

After receiving your certificate, it is a good idea to verify that the certificate information matches your private key. Verify the information using the openssl command. The syntax is:

openssl x509 -text -in [file_name].crt -noout

The command outputs the contents of your certificate.

Additionally, use the following syntax to check the certificate's validity, its issuer, and whether it's been revoked (if CRL or OCSP information is available):

openssl verify [file_name].crt

Conclusion

This article showed how to generate an OpenSSL certificate signing request. SSL is a crucial protocol for securing traffic between a website and its visitors. It helps protect sensitive information online, such as credit card data.

Next, see how to fix Error 526 Invalid SSL certificate, or take a look at our ultimate guide for SSL certificate types.

Was this article helpful?
YesNo
Bosko Marijan
Having worked as an educator and content writer, combined with his lifelong passion for all things high-tech, Bosko strives to simplify intricate concepts and make them user-friendly. That has led him to technical writing at PhoenixNAP, where he continues his mission of spreading knowledge.
Next you should read
How to Generate SSH Keys on Ubuntu 18.04
March 7, 2024

Establishing a connection with a remote server without taking the proper security measures can lead to severe consequences. This article is meant to help...
Read more
How to Check the OpenSSL Version Number
March 28, 2024

OpenSSL is an open-source cryptographic library and SSL toolkit. The applications contained in the library help create a secure communication environment for computer networks...
Read more
How to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH
May 20, 2019

Are you running into the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error? This error happens in a user’s browser when they try to access a website. It means that there’s a ...
Read more
How to Install MySQL 8.0 in Ubuntu 18.04
December 12, 2018

MySQL is an open-source relational database server tool for Linux operating systems. It is widely used in modern web-based technology, and it forms part of the popular “LAMP” stack of software...
Read more