If you are new to the SSL certificates world, then this guide will help you go through the generation of a CSR, which is the first step towards acquiring a commercial SSL certificate.
A Certificate Signing Request (commonly known as ‘CSR’) contains information that the Certificate Authority (known as ‘CA’) will use to provision your SSL certificate.
What information do I need to provide during CSR generation?
The information required by the CA during a CSR generation is the following:
|Country (C)||Two-letter country code where your organization is located.|
|State/County/Region (S)||The state/region where your organization is located. Type the full name of your state/region – must not be abbreviated.|
|City/Locality (L)||The city where your organization is located. Type the full name of your city – must not be abbreviated.|
|Organization (O)||The legal name of your organization. Enter the full legal name of your business, including any suffixes. Example: My Private Company LTD.|
For EV and OV SSL Certificates, this information is verified by the CA and included in the certificate.
|Organizational Unit (OU)||The division of your organization handling the certificate. For example: IT Department.|
|Common Name (CN)||This is the most important field. Enter the Fully Qualified Domain Name (FQDN) which you wish to be protected under the SSL certificate.|
If you are generating a CSR for a wildcard certificate, then include an asterisk. Example: *.mybusinessdomain.com.
|Email Address||Email address used to contact your organization.|
How To Create a Certificate Signing Request (CSR) via command line on Linux server
It is important that you generate the CSR on the same machine that you will be installing the SSL Certificate. The CSR generation process will also create your certificate’s key file which must exist on server where the SSL certificate will be installed.
As a root user connect via SSH on your linux server and type the following command (we provide various commands depending on the Linux distribution you are using):
root@localhost:~$ apt install openssl
root@localhost:~$ yum install openssl
Once openssl is installed, proceed with the following command which is the same regardless of what Linux distro you are using:
$ openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.com.key -out mydomain.com.csr
Make sure you replace “mydomain” with a descriptive name so you can easily identify it in the future.
Upon typing the previous command, you will be prompted to enter the information as described in the Table above.
Note: You are not required to enter a “challenge password”, so just hit Enter to skip the question.
Once all information is entered, two files will appear on your working directory; .csr and .key.
The content of the .csr file must be provided during your SSL certificate order. The .key file must remain on server and never share it with anyone!