Prior to issuing ssl certificate, it is necessary to generate CSR, a Certificate Signing Request and a private key. Using OpenSSL command line tool is one of the easiest and safest ways to do so.
Generating a certificate request requires to enter organization details, such as:
Use following command to generate a CSR with a key file and enter certificate details described above:
openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout example.com.key -out example.com.csr
After necessary details provided, openssl tool will create 2 files: the certificate request and the key file. The key file, that starts with BEGIN PRIVATE KEY, is a sensitive part of the ssl certificate, keep it in safe place. The file with certificate request, that starts with BEGIN CERTIFICATE REQUEST, contains the message that is going to be sent to certificate authority to issue the certificate.
It is considered a good practice to keep organisation details consistent in a dedicated openssl configuration file. A configuration file describes private key cryptography parameters and certificate details. An example of openssl configuration file is given below:
# www.example.com.openssl.conf [ req ] default_bits = "2048" default_md = "sha256" default_keyfile = "example.com.key.pem" prompt = "no" encrypt_key = "no" # base request distinguished_name = req_distinguished_name # extensions req_extensions = v3_req # distinguished_name [ req_distinguished_name ] countryName = "Country code" stateOrProvinceName = "Wilayah Persekutuan Kuala Lumpur" localityName = "Kuala Lumpur" organizationName = "Company Name" organizationalUnitName = "IT" commonName = "example.com" # req_extensions subjectAltName = "DNS:example.com,DNS:www.example.com"
Use following command to generate the certificate request with a key file from the openssl configuration file:
openssl req -new -out www.example.com.csr -config www.example.com.openssl.conf
See detailed manual page for the sub command openssl req.