Generate, Sign, and View a CSR With OpenSSL
The short answer
A certificate signing request (CSR) is a file containing information about your business and its related website(s) used to request a digital certificate from a certificate authority (CA).
To generate a certificate signing request on Linux and macOS, you can use the following [.inline-code]openssl req[.inline-code] command:
Where:
- The [.inline-code]-new[.inline-code] flag is used to generate a new certificate request and prompts the user for relevant field values.
- The [.inline-code]-key[.inline-code] flag specifies the private key file to use for signing the certificate.
- The [.inline-code]-out[.inline-code] flag specifies the output filename to write to.
For example, the following command will generate a certificate signing request file named [.inline-code]server.csr[.inline-code] based on the private key file [.inline-code]server.key[.inline-code].
[#easily-recall-with-ai]Easily retrieve this command using Warp’s AI Command Search[#easily-recall-with-ai]
If you’re using Warp as your terminal, you can easily retrieve this command using the Warp AI Command Search feature:
Entering [.inline-code]generate CSR for private key[.inline-code] in the AI Command Search will prompt an [.inline-code]openssl[.inline-code] command that can then quickly be inserted into your shell by doing [.inline-code]CMD+ENTER[.inline-code].
[#generate-a-private-key]Generating a private key file[#generate-a-private-key]
Before generating a certificate signing request, you will need to generate a private key file, which can be done using the following [.inline-code]openssl genpkey[.inline-code] command:
Where:
- The [.inline-code]-algorithm[.inline-code] flag specifies the public key algorithm used to generate the private key (e.g. RSA, DSA, DH, etc).
- The [.inline-code]-out[.inline-code] flag specifies the destination path of the private key file.
For example, the following command will generate a new private key file using the widely-used RSA algorithm:
[#generate-a-pk-and-a-csr]Generating a private key and a certificate signing request at once[#generate-a-pk-and-a-csr]
To generate both a private key and a certificate signing request at once, you can use the following command:
Where:
- The [.inline-code]-newkey rsa:2048[.inline-code] flag is used to generate a new private key using the RSA algorithm on 2048 bits.
[#generate-a-csr-with-san]Generating a certificate signing request with subject alternative names[#generate-a-csr-with-san]
A subject alternative name (SAN) is a structured way to indicate all of the domain names and IP addresses that are secured by the certificate.
To generate a certificate signing request with subject alternative names, you need to create a configuration file (e.g. [.inline-code]csr.conf[.inline-code]) with the following structure:
Update placeholder values such as <Country Code>, <Locality>, <Domain Name 1>, etc.
And run the following command to generate the file:
[#verify-a-csr]Verifying a certificate signing request[#verify-a-csr]
Once generated, you can verify the content of your certificate signing request using the following [.inline-code]openssl req[.inline-code] command:
Where:
- The [.inline-code]-in[.inline-code] flag specifies the input file to read from.
- The [.inline-code]-text[.inline-code] flag prints out the request certificate in text form.
- The [.inline-code]-noout[.inline-code] flag prevents the output from being encrypted.
- The [.inline-code]-verify[.inline-code] flag verifies the self-signature on the request.
For example:
[#self-sign-a-csr]Self-signing a certificate signing request [#self-sign-a-csr]
Once generated, a certificate signing request must be signed by a certificate authority in order to be transformed into an actual certificate that can be used to encrypt data.
However, it is also possible to generate a self-signed certificate, which is a certificate that is signed using its own private key.
To sign a CSR, you can use the following [.inline-code]openssl ca[.inline-code] command:
Where:
- The [.inline-code]-in[.inline-code] flag specifies the source path of the certificate signing request file.
- The [.inline-code]-out[.inline-code] flag specifies the destination path of the certificate file.
For example:
Note that, when using a self-signed certificate, warnings may be displayed in the user’s browser as it is not issued by a trusted certificate authority.