A CSR (Certificate Signing Request) is the first step towards obtaining an SSL certificate. It's a standardized request with information the CA (Certificate Authority) needs before issuing an SSL. Three parts make up a CSR: a private key, public key, and some basic information about your organization which is also referred to as the Distinguished Name.
This article will serve as a guide to creating a CSR for domains that are using web servers such as Apache or Nginx.
Creating an RSA Private Key and CSR
To generate a private key and CSR, we will be utilizing OpenSSL in the command line while you are logged into your server. Please type the following command into the terminal:
$ openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
domain.key represents the name of the private key file and
domain.csr represents the name of the CSR file. You can choose other names in place of
domain. The key strength is represented by
rsa:2048, so you are free to choose another desired value if you'd like as well.
When you hit Enter, you will see a message that a 2048 bit RSA private key is being generated and it is being written to whatever file you previously specified. You will then be prompted to enter some information that will make up your Distinguished Name.
The Distinguished Name is used by the CA to identify you and your server. You are required to enter a few pieces of information that make up this name in your terminal.
The required information includes:
- Country Name: Your two-letter country code.
- State or Province Name: Full name of your state or province.
- Locality Name: Full name of your city or town.
- Organization Name: The name of your company or organization.
- Common Name: Your Fully Qualified Domain Name (FQDN)
There are some optional entries which include:
- Email Address
- Challenge Password
- Optional Company Name
- Organizational Unit Name
Once this information has been entered, that's it. Your CSR is complete. You can review the information in your CSR by entering the command below:
$ openssl req -noout -text -in domain.csr
The next step is to send it over to the CA of your choice. Please refer to the section below for more information on how this is done.
Sending your CSR to the CA
The next step to obtaining an SSL certificate is to send your CSR to a CA. Please see the steps below for how to do this. For this example, the CA we are using is Sectigo.
- Open your CSR using the text editor of your choice (vi, vim, etc.). We used
domain.csrin our example.
- Copy the text between
BEGIN CERTIFICATE REQUESTand
END CERTIFICATE REQUEST.
- After you purchased and selected the Sectigo SSL of your choice, navigate to the Manage tab, and select Setup Sectigo SSL Certificate.
- Paste the CSR text you previously copied in the section labeled CSR under Server Information.
- Continue to follow the steps provided to set up your SSL certificate.
For more information on SSL Certificates, please feel free to reference our SSL Certificates Explained article and as always, if you have any questions about the content of this article, please feel free to reach out to the Support Team for assistance, we're available 24/7 for your convenience.