Generate a Certificate Signing Request

Prior to issuing ssl certificate, it is necessary to generate CSR, a Certificate Signing Request and a private key. Using OpenSSL command line tool is one of the easiest and safest ways to do so.

Generate a Certificate Signing Request using command

Generating a certificate request requires to enter organization details, such as:

Use following command to generate a CSR with a key file and enter certificate details described above:

openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout -out

After necessary details provided, openssl tool will create 2 files: the certificate request and the key file. The key file, that starts with BEGIN PRIVATE KEY, is a sensitive part of the ssl certificate, keep it in safe place. The file with certificate request, that starts with BEGIN CERTIFICATE REQUEST, contains the message that is going to be sent to certificate authority to issue the certificate.

Generate a Certificate Signing Request using a configuration file

It is considered a good practice to keep organisation details consistent in a dedicated openssl configuration file. A configuration file describes private key cryptography parameters and certificate details. An example of openssl configuration file is given below:

    [ req ]
    default_bits = "2048"
    default_md = "sha256"
    default_keyfile = ""
    prompt = "no"
    encrypt_key = "no"

    # base request
    distinguished_name = req_distinguished_name

    # extensions
    req_extensions = v3_req

    # distinguished_name
    [ req_distinguished_name ]
    countryName = "Country code"
    stateOrProvinceName = "Wilayah Persekutuan Kuala Lumpur"
    localityName = "Kuala Lumpur"
    organizationName = "Company Name"
    organizationalUnitName = "IT"
    commonName = ""

    # req_extensions
    subjectAltName = ","

Use following command to generate the certificate request with a key file from the openssl configuration file:

openssl req -new -out -config

See detailed manual page for the sub command openssl req.