How to Generate a Certificate Signing Request (CSR) for an SSL

Verified and Tested 03/26/17

Introduction

This article will explain how to generate a Certificate Signing Request (CSR). You will be required to submit a CSR when obtaining an SSL/TLS certificate from a certificate authority (CA).

Prerequisites

Any Linux distribution with OpenSSL installed. If you do not have a server, why not consider a Linux VPS from Atlantic.Net and be up and running in under 30 seconds.

Generate a Certificate Signing Request (CSR)

Both the CSR and the private key for your server can be generated in one easy step. Be sure to keep access to your private key as restricted as possible, as this unique identifier is used to verify the authenticity of your server.

Note: If you are having trouble running the command successfully, you may need to log in as sudo or root.

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

You will then be asked for the following information:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note: The challenge password is not related to the private key password. Leave it blank unless required by your certificate authority. You may also leave the “optional company name” question blank.

---

You now have the “.csr” (Certificate Signing Request) file that will need to be submitted to a certificate authority (CA). Once the CA has signed the certificate, it will return a certificate file. The format of the issued certificate will vary depending on the certificate authority.  The most common type will be PEM format which utilize extensions such as .crt, .key, .csr, .cer, and .pem.

---

Depending on the needs of your application or web server, you may need to convert one of these formats to other formats such as PKCS#7, PKCS#12, or DER. Here are a some useful file conversion commands:

PEM → PKCS#7 (P7B)

openssl crl2pkcs7 -nocrl -certfile yourdomain.cer -out yourdomain.p7b -certfile CACert.cer

The -nocrl option indicates that you will not be including a certificate revocation list (CRL) in the PKCS#7 structure. Most new deployments will use this option, since there will be no older certificates to revoke.
Each -certfile option indicates a certificate file that will be included in the output file, which is useful in creating a certificate chain including the server certificate and the certificate authority’s intermediate certificate (“yourdomain.cer” and “CACert.cer”, respectively, in the example above).
The -out option indicates the file name to write the PKCS#7 output to.

PEM → PKCS#12 (PFX)

openssl pkcs12 -export -out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt -certfile CACert.crt

The -export option indicates that this command will create a PKCS#12 file. The default behavior without the -export option is to parse the input.
The -in option indicates the PEM-formatted file to be read from. If this file doesn’t also include the private key, you will need the -inkey option to indicate the private key file, as well.
The -certfile option indicates additional certificates to include in the PKCS#12 file, such as intermediate certificates.
The -out option indicates the file to write the output to, usually a “.pfx” file.

PEM → DER

openssl x509 -outform der -in yourdomain.pem -out yourdomain.der

The -in option indicates the input certificate file to be converted.
The -out option indicates the output file name.
The -outform option indicates the file format for the output (in this example, the input file is in the PEM format, and this command would take that file and create a DER-formatted file).