SSL / How to generate a CSR, in simple steps

What is CSR, in short

A certificate signing request or CSR is a piece of text that must be generated on your web server as a prerequisite for ordering the SSL certificate. A CSR consists of the public key of a key pair and some additional information. Both of these components are used by certificate authority when it is being signed by them.


OpenSSL is an open-source tool that provides an extensive set of cryptographic functions. In order to check if it is already installed, run the following command:

❯ openssl version
OpenSSL 0.9.8zh 14 Jan 2016

This software has to be installed in order to continue.

Let's get started

1. Create a private key (and store it in a cool, dry and secure place)
Use the following genrsa command to generate a private key:

❯ openssl genrsa -out private_key.pem 2048

2. Create a CSR using the following command

❯ openssl req -sha256 -new -key private_key.pem -out new_csr.pem

The command will ask you for some information (used by CA later):

Country Name
The two-letter ISO code for your country. All coutry codes are available in Online Browsing Platform (OBP) from ISO:

State or Province Name
The full name of the state or province where your organization is located. Do not use an abbreviation.

Locality Name
The name of the city where your organization is located.

Organization Name
The full legal name of your organization.

Common Name
The fully-qualified domain name for your CNAME. This name must be an exact match. For example, or

Email Address
The server administrator's email address.

3. Apply for an SSL certificate to one of the various CA using the just generated CSR 
(REISUB does not recommend any specific CA).

4. Register your website with a SSL reminder service in order to be in time for certificate renewal
Forgetting about or missing the date your certificate expires may lead to particularly unpleasant consequences for a website and the business behind it. has a simple interface and is on time reminding to extend the certificate.

It is also possible to generate a self-signed certificate. It should only be used for testing purposes as it will not be trusted by modern web browsers:

To create a self-signed certificate, use the following command:
❯ openssl x509 -req -days 365 -in new_csr.pem -signkey private_key.pem -out my_certificate.pem

Questions/suggestions are welcome in comments to this post.

1 comment:

  1. Very good info. Lucky me I came across your blog by chance (stumbleupon).
    I have book marked it for later!