Linux and Open SSL

Owned by Lise Kristoffersen
Last updated: Aug 20, 2021
2 min read

This document describes how to generate a Certificate Request / Certificate Sign Request (CSR) on a Linux Server with OpenSSL.

A CSR is a prerequisite to ordering an SSL certificate.

1. Creating the directory structure

Before you create a private key and a certificate request, you must decide in which directory you want to store the certificate. If this is already in place, you can skip to the next step.

Issue the following command in the terminal:

# mkdir -p /etc/apache2/ssl/dittdomene.no

Then you need to navigate to the directory you have just created:

# cd /etc/apache2/ssl/dittdomene.no

2. Generating a private key

If you already have a private key that you want to use, you can skip to the next step. The following command shows how to create a 2048-bit key, which is the minimum requirement. In this example, your private key will be stored as ‘server.key’. Make a backup copy of the key. Regenerating the key is impossible. It is also important to store the private key securely.

# openssl genrsa -out server.key 2048

3. Generating a certificate request

The command below is used to create a certificate request (CSR) based on the key. The certificate request is stored in the file server.csr and the key field must contain the name of the key.

# openssl req -out server.csr -key server.key -new

Before you can generate the file with the CSR, you must enter the information as shown below. Common Name must contain the actual domain name (FQDN ) where to use the SSL certificate. Email address, Challenge password and company names are optional.

> Country Name (2 letter code) [AU]: NO
> State or Province Name (full name) [Some-State]: Your Province
> Locality Name (eg, city) []: Your City
> Organization Name (eg, company) [Internet W. Pty Ltd]: Your Organization
> Organizational Unit Name (eg, section) []: Your section
> Common Name (eg, YOUR name) []: yourdomain.com
> Email Address []:

> Please enter the following 'extra' attributes to be sent with you certificate request
> A challenge password[]:
> An optional company name[]:

4. Certificate Request

When ordering a certificate, you need to upload the CSR. Do so by copying the content of your newly generated CSR (server.csr). To get the content of the CSR, use the following command.

# cat server.csr

The CSR will look approximately as follows and will include --- BEGIN and END --- ).