Generating a Certificate Signing Request (CSR) with OpenSSL is a fundamental step in obtaining an SSL/TLS certificate for your website or service, but the process is often more nuanced than just running a single command.
Let’s look at a typical scenario where you’ve generated a private key and now need to create a CSR to send to a Certificate Authority (CA).
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
This command will prompt you for a lot of information. The most critical fields are:
- Country Name (2 letter code):
US - State or Province Name (full name):
California - Locality Name (eg, city):
San Francisco - Organization Name (eg, company):
My Company Inc. - Organizational Unit Name (eg, section):
IT Department - Common Name (e.g. server FQDN or YOUR name):
www.example.com - Email Address:
admin@example.com
The "Common Name" (CN) is paramount. It must match the fully qualified domain name (FQDN) of the server you intend to secure. For wildcard certificates, it would be *.example.com. If you omit the CN or get it wrong, the CA will reject your CSR, or the resulting certificate will not be trusted by browsers for that specific domain.
The -nodes flag is important; it means "no DES" and prevents OpenSSL from encrypting your private key with a passphrase. While this is convenient for automated server restarts, it means anyone with access to your server.key file can use it. For production systems, you’ll often omit -nodes and enter a strong passphrase when prompted.
Once you have your server.csr and server.key files, you’ll submit the server.csr to your chosen CA. They will use this request, signed by your private key, to issue your certificate.
Here’s a look at what’s inside a CSR. You can inspect it using:
openssl req -in server.csr -noout -text
This will display the certificate request information, including the subject (the fields you entered) and the public key. You’ll see something like:
Subject: C=US, ST=California, L=San Francisco, O=My Company Inc., OU=IT Department, CN=www.example.com
...
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a1:b2:c3:...
Exponent: 65537
The most surprising thing about CSRs is that they contain your public key, not your private key. The CA uses your public key to generate the certificate, and they then sign that certificate with their private key. When a browser connects to your server, it uses your public key (embedded in the certificate) to verify that the certificate was indeed signed by the CA. Your private key, which is never transmitted, is used to prove that you are the legitimate owner of the public key in the certificate.
A common pitfall is generating a CSR without including Subject Alternative Names (SANs). Modern browsers and security practices increasingly rely on SANs to specify multiple hostnames (e.g., www.example.com, mail.example.com, example.com) that a single certificate should cover. If your CSR doesn’t explicitly include these, your certificate might only be valid for the Common Name.
To include SANs, you’d typically create a configuration file (e.g., openssl.cnf) and reference it:
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C=US
ST=California
L=San Francisco
O=My Company Inc.
OU=IT Department
CN=www.example.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = example.com
DNS.3 = mail.example.com
Then, your OpenSSL command would look like this:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -config openssl.cnf
This ensures that your certificate will be valid for all the listed DNS names.
If you’ve generated a CSR and later realize you need to add or change SANs, you cannot modify the existing CSR. You must generate a new CSR, referencing an updated configuration file with the correct SANs.
The next step after obtaining your signed certificate from the CA is typically to install it on your web server, which involves configuring your web server software (like Apache or Nginx) to use both your private key and the issued certificate.