Terminus by Warp
Generate, Sign, and View a CSR With OpenSSL
Terminus by
Table of Contents

Easily recall with AI

Generate a private key

Generate a pk a csr

Generate a csr with san

Self sign a csr

Topics
Featured

Generate, Sign, and View a CSR With OpenSSL

Razvan Ludosanu
Razvan Ludosanu
Founder, learnbackend.dev
Bash
Linux
Unix

The short answer

A certificate signing request (CSR) is a file containing information about your business and its related website(s) used to request a digital certificate from a certificate authority (CA).

To generate a certificate signing request on Linux and macOS, you can use the following [.inline-code]openssl req[.inline-code] command:

 $ openssl req -new -key <pkey>-out <csr>

Where:

  • The [.inline-code]-new[.inline-code] flag is used to generate a new certificate request and prompts the user for relevant field values.
  • The [.inline-code]-key[.inline-code] flag specifies the private key file to use for signing the certificate.
  • The [.inline-code]-out[.inline-code] flag specifies the output filename to write to.

For example, the following command will generate a certificate signing request file named [.inline-code]server.csr[.inline-code] based on the private key file [.inline-code]server.key[.inline-code].

 $ openssl req -new -key server.key -out server.csr

[#easily-recall-with-ai]Easily retrieve this command using Warp’s AI Command Search[#easily-recall-with-ai]

If you’re using Warp as your terminal, you can easily retrieve this command using the Warp AI Command Search feature:

Entering [.inline-code]generate CSR for private key[.inline-code] in the AI Command Search will prompt an [.inline-code]openssl[.inline-code] command that can then quickly be inserted into your shell by doing [.inline-code]CMD+ENTER[.inline-code].

[#generate-a-private-key]Generating a private key file[#generate-a-private-key]

Before generating a certificate signing request, you will need to generate a private key file, which can be done using the following [.inline-code]openssl genpkey[.inline-code] command:

 $ openssl genpkey -algorithm <alg>-out <pkey>

Where:

  • The [.inline-code]-algorithm[.inline-code] flag specifies the public key algorithm used to generate the private key (e.g. RSA, DSA, DH, etc).
  • The [.inline-code]-out[.inline-code] flag specifies the destination path of the private key file.

For example, the following command will generate a new private key file using the widely-used RSA algorithm:

$ openssl genpkey -algorithm RSA -out server.key

[#generate-a-pk-and-a-csr]Generating a private key and a certificate signing request at once[#generate-a-pk-and-a-csr]

To generate both a private key and a certificate signing request at once, you can use the following command:

$ openssl req -new -newkey rsa:2048 -keyout server.key -out server.csr

Where:

  • The [.inline-code]-newkey rsa:2048[.inline-code] flag is used to generate a new private key using the RSA algorithm on 2048 bits.

[#generate-a-csr-with-san]Generating a certificate signing request with subject alternative names[#generate-a-csr-with-san]

A subject alternative name (SAN) is a structured way to indicate all of the domain names and IP addresses that are secured by the certificate.

To generate a certificate signing request with subject alternative names, you need to create a configuration file (e.g. [.inline-code]csr.conf[.inline-code]) with the following structure:

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
C = <Country Code>
ST = <State or Province>
L = <Locality>
O = <Organization>
OU = <Organizational Unit>
CN = <Common Name>

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = <Domain Name 1>
DNS.2 = <Domain Name 2>

Update placeholder values such as <Country Code>, <Locality>, <Domain Name 1>, etc.

And run the following command to generate the file:

 $ openssl req -new -config csr.conf -key server.key -out server.csr

[#verify-a-csr]Verifying a certificate signing request[#verify-a-csr]

Once generated, you can verify the content of your certificate signing request using the following [.inline-code]openssl req[.inline-code] command:

 $ openssl req -in <csr> -text -noout -verify

Where:

  • The [.inline-code]-in[.inline-code] flag specifies the input file to read from.
  • The [.inline-code]-text[.inline-code] flag prints out the request certificate in text form.
  • The [.inline-code]-noout[.inline-code] flag prevents the output from being encrypted.
  • The [.inline-code]-verify[.inline-code] flag verifies the self-signature on the request.

For example:

$ openssl req -in server.csr -text -noout -verify

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Ohio, L=Des Moines, O=Example,
        CN=https://example.com/emailAddress=user@email.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:da:2f:a0:87:c1:1a:60:06:3b:8a:4b:7c:0c:38:
                    47:41:3c:3a:62:fb:c7:e9:1b:60:2c:38:5f:f6:42:
                    9a:ee:cf:6a:03:64:be:1d:02:b5:d7:2d:be:64:92:
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :unable to print attribute
    Signature Algorithm: sha256WithRSAEncryption
         33:57:9d:7f:ed:93:b2:c1:ee:38:c7:d7:62:ef:49:08:f3:af:
         45:e8:ff:ca:c3:cd:65:64:29:c4:28:cf:82:88:0a:90:47:d2:
         c9:1f:43:63:cd:45:23:c3:40:40:95:38:30:d7:df:40:60:30:

[#self-sign-a-csr]Self-signing a certificate signing request [#self-sign-a-csr]

Once generated, a certificate signing request must be signed by a certificate authority in order to be transformed into an actual certificate that can be used to encrypt data.

However, it is also possible to generate a self-signed certificate, which is a certificate that is signed using its own private key.

To sign a CSR, you can use the following [.inline-code]openssl ca[.inline-code] command:

 $ openssl ca -in <csr> -out <cert>

Where:

  • The [.inline-code]-in[.inline-code] flag specifies the source path of the certificate signing request file.
  • The [.inline-code]-out[.inline-code] flag specifies the destination path of the certificate file.

For example:

 $ openssl ca -in server.csr -out server.arm

Note that, when using a self-signed certificate, warnings may be displayed in the user’s browser as it is not issued by a trusted certificate authority.

Written by

Razvan Ludosanu
Razvan Ludosanu
Founder, learnbackend.dev

Filed under

Bash
Linux
Unix
Warp terminus dashboard
meet Warp

Your terminal, reimagined.

Warp is a modern, Rust-based terminal with AI built in so you and your team can build great software, faster.

Download App
or learn more
Learn more
Learn more

Related Articles

Create Files In Linux

Learn how to create regular files in Linux using command line interface commands like touch, echo, cat, printf, and in-terminal text editors like Vim.

Linux

List Users In Linux

Learn how to list users and groups in Linux.

Linux

Edit Files in Linux

Learn how to edit files in Linux using command-line file editors such as Vim, Nano, and Emacs, the output redirection operator, and the sed command.

Linux

Change User Passwords In Linux

Learn how to change, manage and generate user passwords in Linux using the passwd, chpasswd, chage and openssl commands.

Linux

Create User In Linux

Learn to create and configure user accounts in Linux in interactive and non-interactive mode using the useradd and adduser commands.

Linux

Use Cookies With cURL

Learn how to store and send cookies using files, hard-coded values, environment variables with cURL.

Bash

How To Unzip A tar.gz File

Learn how to unzip a tar.gz file on Linux, macOS, and Windows.

Linux

How To Filter The Output of Commands

Learn how to filter and format the output of commands and logs using the grep, awk, uniq, head, and tail commands.

Linux
Grep

Create Directories Recursively With mkdir

Learn how to recursively create nested directories using the mkdir command, Bash scripts, and Python scripts.

Unix
Linux

How to Download Files With curl And wget

Learn how to start and resume the download of files via the HTTP and FTP protocols using the curl and wget commands.

Linux
Unix

How To Copy A Directory In Linux

Learn how to copy directories and their content in Linux using the cp command with options like -r for recursive copying, -i for interactive mode, and -a for preserving attributes.

Linux

Upload Files With curl

Learn how to upload a file to FTP, SFTP servers, Artifactory, and AWS S3 using the curl command.

Linux
Unix

Experience the power of Warp

  • Write with an IDE-style editor
  • Easily navigate through output
  • Save commands to reuse later
  • Ask Warp AI to explain or debug
  • Customize keybindings and launch configs
  • Pick from preloaded themes or design your own
Download now
brew install --cask warp
Copied!
Download now
Or download for Linux today / Join the Windows waitlist
Join the Windows waitlist:
Success! You will receive an email from Warp when the release is available to download.
Oops! Something went wrong while submitting the form.
Or download for Mac or Linux today
Join the Linux waitlist:
Success! You will receive an email from Warp when the release is available to download.
Oops! Something went wrong while submitting the form.
Or download for Mac today / join the Windows waitlist
Join the Linux waitlist or join the Windows waitlist
Join the Windows waitlist:
Success! You will receive an email from Warp when the release is available to download.
Oops! Something went wrong while submitting the form.
Or download for Mac or Linux today
Bash
Linux
Unix
Razvan Ludosanu