Verified and Tested 04/23/15


This article will explain how to generate a Certificate Signing Request (CSR). You will be required to submit a CSR when obtaining an SSL/TLS certificate from a certificate authority (CA).


Any Linux distribution with OpenSSL installed. If you do not have a server, why not consider a Linux ready cloud server from Atlantic.Net and be up and running in under 30 seconds.

Generate a Certificate Signing Request (CSR)

The first step is to generate a private key for your server. This unique identifier is used to verify the authenticity of your server. Be sure to keep access to your private key as restricted as possible.

openssl genrsa -out example.key 2048

The 2048 option indicates a key length of 2048 bits. As of the “tested” date indicated above, this key length is considered the minimum length to maintain security.

Note: if the above command returns “unable to write ‘random state'”, you may need to run the command as root.

Now we must generate the CSR using the private key we just created:

openssl req -new -key example.key -out example.csr

You will then be asked for the following information:


You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note: The challenge password is not related to the private key password. Leave it blank unless required by your certificate authority. You may also leave the “optional company name” question blank.

You now have the “.csr” (Certificate Signing Request) file that will need to be submitted to a certificate authority (CA). Once the CA has signed the certificate, it will return a certificate file. The format of the issued certificate will vary depending on the certificate authority.  The most common type will be PEM format which utilize extensions such as .crt.key.csr.cer, and .pem.

Depending on the needs of your application or web server, you may need to convert one of these formats to other formats such as PKCS#7, PKCS#12, or DER. Here are a some useful file conversion commands:

PEM → PKCS#7 (P7B)

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

The -nocrl option indicates that you will not be including a certificate revocation list (CRL) in the PKCS#7 structure. Most new deployments will use this option, since there will be no older certificates to revoke.
Each -certfile option indicates a certificate file that will be included in the output file, which is useful in creating a certificate chain including the server certificate and the certificate authority’s intermediate certificate (“certificate.cer” and “CACert.cer”, respectively, in the example above).
The -out option indicates the file name to write the PKCS#7 output to.


openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

The -export option indicates that this command will create a PKCS#12 file. The default behavior without the -export option is to parse the input.
The -in option indicates the PEM-formatted file to be read from. If this file doesn’t also include the private key, you will need the -inkey option to indicate the private key file, as well.
The -certfile option indicates additional certificates to include in the PKCS#12 file, such as intermediate certificates.
The -out option indicates the file to write the output to, usually a “.pfx” file.


openssl x509 -outform der -in certificate.pem -out certificate.der

The -in option indicates the input certificate file to be converted.
The -out option indicates the output file name.
The -outform option indicates the file format for the output (in this example, the input file is in the PEM format, and this command would take that file and create a DER-formatted file).