Generate, Sign, and View a CSR With OpenSSL

The short answer

A certificate signing request (CSR) is a file containing information about your business and its related website(s) used to request a digital certificate from a certificate authority (CA).

To generate a certificate signing request on Linux and macOS, you can use the following [.inline-code]openssl req[.inline-code] command:

 $ openssl req -new -key <pkey>-out <csr>

Where:

• The [.inline-code]-new[.inline-code] flag is used to generate a new certificate request and prompts the user for relevant field values.
• The [.inline-code]-key[.inline-code] flag specifies the private key file to use for signing the certificate.
• The [.inline-code]-out[.inline-code] flag specifies the output filename to write to.

For example, the following command will generate a certificate signing request file named [.inline-code]server.csr[.inline-code] based on the private key file [.inline-code]server.key[.inline-code].

 $ openssl req -new -key server.key -out server.csr

[#easily-recall-with-ai]Easily retrieve this command using Warp’s AI Command Search[#easily-recall-with-ai]

If you’re using Warp as your terminal, you can easily retrieve this command using the Warp AI Command Search feature:

Entering [.inline-code]generate CSR for private key[.inline-code] in the AI Command Search will prompt an [.inline-code]openssl[.inline-code] command that can then quickly be inserted into your shell by doing [.inline-code]CMD+ENTER[.inline-code].

[#generate-a-private-key]Generating a private key file[#generate-a-private-key]

Before generating a certificate signing request, you will need to generate a private key file, which can be done using the following [.inline-code]openssl genpkey[.inline-code] command:

 $ openssl genpkey -algorithm <alg>-out <pkey>

Where:

• The [.inline-code]-algorithm[.inline-code] flag specifies the public key algorithm used to generate the private key (e.g. RSA, DSA, DH, etc).
• The [.inline-code]-out[.inline-code] flag specifies the destination path of the private key file.

For example, the following command will generate a new private key file using the widely-used RSA algorithm:

$ openssl genpkey -algorithm RSA -out server.key

[#generate-a-pk-and-a-csr]Generating a private key and a certificate signing request at once[#generate-a-pk-and-a-csr]

To generate both a private key and a certificate signing request at once, you can use the following command:

$ openssl req -new -newkey rsa:2048 -keyout server.key -out server.csr

Where:

• The [.inline-code]-newkey rsa:2048[.inline-code] flag is used to generate a new private key using the RSA algorithm on 2048 bits.

[#generate-a-csr-with-san]Generating a certificate signing request with subject alternative names[#generate-a-csr-with-san]

A subject alternative name (SAN) is a structured way to indicate all of the domain names and IP addresses that are secured by the certificate.

To generate a certificate signing request with subject alternative names, you need to create a configuration file (e.g. [.inline-code]csr.conf[.inline-code]) with the following structure:

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
C = <Country Code>
ST = <State or Province>
L = <Locality>
O = <Organization>
OU = <Organizational Unit>
CN = <Common Name>

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = <Domain Name 1>
DNS.2 = <Domain Name 2>

Update placeholder values such as <Country Code>, <Locality>, <Domain Name 1>, etc.

And run the following command to generate the file:

 $ openssl req -new -config csr.conf -key server.key -out server.csr

[#verify-a-csr]Verifying a certificate signing request[#verify-a-csr]

Once generated, you can verify the content of your certificate signing request using the following [.inline-code]openssl req[.inline-code] command:

 $ openssl req -in <csr> -text -noout -verify

Where:

• The [.inline-code]-in[.inline-code] flag specifies the input file to read from.
• The [.inline-code]-text[.inline-code] flag prints out the request certificate in text form.
• The [.inline-code]-noout[.inline-code] flag prevents the output from being encrypted.
• The [.inline-code]-verify[.inline-code] flag verifies the self-signature on the request.

For example:

$ openssl req -in server.csr -text -noout -verify

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Ohio, L=Des Moines, O=Example,
        CN=https://example.com/emailAddress=user@email.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:da:2f:a0:87:c1:1a:60:06:3b:8a:4b:7c:0c:38:
                    47:41:3c:3a:62:fb:c7:e9:1b:60:2c:38:5f:f6:42:
                    9a:ee:cf:6a:03:64:be:1d:02:b5:d7:2d:be:64:92:
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :unable to print attribute
    Signature Algorithm: sha256WithRSAEncryption
         33:57:9d:7f:ed:93:b2:c1:ee:38:c7:d7:62:ef:49:08:f3:af:
         45:e8:ff:ca:c3:cd:65:64:29:c4:28:cf:82:88:0a:90:47:d2:
         c9:1f:43:63:cd:45:23:c3:40:40:95:38:30:d7:df:40:60:30:
         

[#self-sign-a-csr]Self-signing a certificate signing request [#self-sign-a-csr]

Once generated, a certificate signing request must be signed by a certificate authority in order to be transformed into an actual certificate that can be used to encrypt data.

However, it is also possible to generate a self-signed certificate, which is a certificate that is signed using its own private key.

To sign a CSR, you can use the following [.inline-code]openssl ca[.inline-code] command:

 $ openssl ca -in <csr> -out <cert>

Where:

• The [.inline-code]-in[.inline-code] flag specifies the source path of the certificate signing request file.
• The [.inline-code]-out[.inline-code] flag specifies the destination path of the certificate file.

For example:

 $ openssl ca -in server.csr -out server.arm

Note that, when using a self-signed certificate, warnings may be displayed in the user’s browser as it is not issued by a trusted certificate authority.