How to Generate a Certificate Signing Request (CSR) With OpenSSL?

A Certificate Signing Request (CSR) is a digital document containing information about the entity requesting an SSL/TLS certificate. The CSR includes the public key and identifying information such as organization name, domain, and location. This information enables a Certificate Authority (CA) to verify the requester's identity and issue a valid SSL/TLS certificate.

The CSR is essential for obtaining SSL/TLS certificates because it provides the verification mechanism for domain ownership and organizational identity. Without a properly generated CSR, you cannot secure your website with encryption.

Understanding OpenSSL and Its Components

OpenSSL is an open-source cryptographic toolkit that provides secure communications over networks. It supports various cryptographic functions and is widely used across Linux, Windows, and macOS systems for implementing SSL/TLS protocols.

Private Key

A private key is a cryptographically secure key used for digital signing and decryption. It must remain confidential as it authenticates your identity. To generate a private key using OpenSSL:

openssl genrsa -out private.key 2048

This creates a 2048-bit RSA private key saved as private.key in the current directory.

Public Key

A public key corresponds to the private key and is used for encryption and signature verification. It can be shared publicly without compromising security. To extract the public key from your private key:

openssl rsa -in private.key -pubout -out public.key

This generates public.key containing the public key that will be embedded in your SSL certificate.

Step-by-Step CSR Generation

Step 1: Generate a Private Key

First, create a private key for your domain:

openssl genpkey -algorithm RSA -out example.com.key -pkcs8

Replace example.com with your actual domain name. The -pkcs8 flag ensures compatibility with modern systems.

Step 2: Create the CSR

Generate the CSR using your private key:

openssl req -new -key example.com.key -out example.com.csr

You'll be prompted to enter the following information:

• Country Name (C) Two-letter country code (e.g., US, GB)

• State/Province (ST) Full state or province name

• City/Locality (L) City name

• Organization (O) Legal company name

• Organizational Unit (OU) Department (optional)

• Common Name (CN) Fully qualified domain name (e.g., www.example.com)

• Email Address Contact email (optional)

Step 3: Non-Interactive CSR Generation

For automated processes, you can create a CSR without interactive prompts using a configuration file or command-line options:

openssl req -new -key example.com.key -out example.com.csr -subj "/C=US/ST=California/L=San Francisco/O=Example Corp/CN=www.example.com"

Verifying Your CSR

After generating your CSR, verify its contents and ensure it matches your private key:

Check CSR Contents

openssl req -text -noout -in example.com.csr

This displays all information contained in the CSR, including the public key and subject details.

Verify CSR and Private Key Match

Ensure your CSR and private key correspond to each other:

openssl req -noout -modulus -in example.com.csr | openssl md5
openssl rsa -noout -modulus -in example.com.key | openssl md5

Both commands should produce identical MD5 hash values, confirming the keys match.

Advanced CSR Options

Adding Subject Alternative Names (SAN)

For certificates covering multiple domains, create a configuration file csr.conf:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
CN = www.example.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = mail.example.com

Then generate the CSR with SAN:

openssl req -new -key example.com.key -out example.com.csr -config csr.conf

Common CSR Generation Issues

Conclusion

Generating a Certificate Signing Request with OpenSSL involves creating a private key, then using it to generate a CSR containing your organization's details and public key. Proper verification ensures the CSR will work correctly with Certificate Authorities. Following these steps enables you to obtain SSL/TLS certificates for secure website communications.