How to generate CSR (Certificate Signing Request) and key Code for the domain

What is a CSR?

A CSR code (Certificate Signing Request) is a block of encoded text and an essential part of the SSL activation process that you submit to a Certificate Authority when applying for an SSL Certificate. It is typically generated on the server where the Certificate will be installed and should contain information about your website and business which will then be encoded into the Certificate. As per my past experience, you can also generate this information on any computer machine (preferably Linux or WSL).

CSR generation instructions

Before we can issue your SSL Certificate, the certificate requester must create a Certificate Signing Request (CSR) for a domain name or hostname on your web server. The CSR is a standardized way to send the issuing Certificate Authority (CA) your public key, which is paired with a secret private key on the server, and provides relevant information about the requester as indicated below:

In order to generate the CSR, you need below information.

Common Name
Country
State (or province)
Locality (or city)
Organization
Organizational Unit
Email address
Challenge Password and Optional Company Name

Here is the brief information about every details:

Common Name (the domain name the Certificate will be issued for)

For example - example.com

* For Wildcard certificates, the Common Name should be represented with an asterisk in front (e.g. *.example.com).

Country (two-letter code)

Country (C) – the two-letter code of the country where the company or applicant is located (for example, GB for Great Britain or US for the United States; you can check your country code here.)

State (or province)

State (S) – the state, county or region the company or applicant is located in (e.g. California).

Locality (or city)

Locality (L) – the city where the company or applicant is located (e.g. Los Angeles). This parameter should not be abbreviated.

Organization (your company name. Feel free to put "NA" here for any Domain Validated certificate)

Organization (O) – the officially registered name of the organization that is applying for a certificate (e.g. Namecheap Inc.). For Organization and Extended Validation certificates, Certificate Authorities will be verifying the submitted organization. For Domain Validation SSLs, this field is not critical and the details will not be listed on the issued certificate; however, it should at least be filled in with "NA".

Organizational Unit (department. Feel free to put "NA" here for any any Domain Validated certificate)

Organization Unit (OU) – the name of the department or division within the submitted organization (e.g. SSL Support).

Email address (put a valid email address here)

Email Address – an email address of the company or the applicant. This field is optional.

* This email address won’t be used during the verification process, unless a mistake is found with any of the submitted details. However, this email will be considered an admin contact, unless you change it during the activation process. The SSL will be issued to the admin contact email address once it is activated.

Challenge Password and Optional Company Name - please do not use challenge password and leave Optional Company Name field empty too. These values are now obsolete and may cause issues with getting the SSL certificate.

Once you have all this information, you can run the below mentioned command and then fill all the above received information in it, it will generate the CSR and key for you.

openssl genrsa -out key 2048 && chmod 400 key && openssl req -new -key key -out csr

As mentioned above, in addition to creating a CSR, the web server will also export another file called a private key. The private key is a unique cryptographic key related to the corresponding CSR and should never be shared with anyone outside your secured server environment. The private key is mathematically used to decrypt whatever sensitive data that’s transmitted and encrypted with its corresponding public key and vice versa. If the private key is lost or compromised, malicious users could potentially read your encrypted communications and put your organization's reputation at risk, which defeats the entire methodology behind the Public Key Infrastructure (PKI). If the private key is lost or compromised, we highly recommend creating a new key pair and replacing or reissuing your SSL Certificate.

Most CSRs are created in the Base-64 encoded PEM format and include the "-----BEGIN CERTIFICATE REQUEST-----"and "-----END CERTIFICATE REQUEST-----" lines as the header and footer tags of the CSR. A standard PEM format CSR will look like the following example:

Once you have created a CSR and wish to verify the accuracy of the details contained within (i.e. Common Name, Organization Name, etc.), you can easily decode the encrypted text using the CSR Decoder: CSR Decoder or you can also check this by running following command on the terminal.

openssl req -in PATH_TO_CSR_FILE -noout -text

or

openssl req -in PATH_TO_CSR_FILE -noout -subject

This tool is commonly used to troubleshoot error messages received during the generation process. For example, if you purchase a Wildcard SSL Certificate and paste in a CSR with Common Name: www.dailylifeassysadmin.com, you will receive an error message during the generation process since the Common Name does not have an asterisk (*.) at the left furthest sub-domain level (i.e. *.dailylifeassysadmin.com) within the Common Name field. This tool will allow you to verify the entry mistake and proceed with creating a new key pair.

Whooray!! 👏👏 You have successfully generated the CSR and key for the domain name of the website. You can share the CSR code with you SSL provider, and they can issue the certificate for you on the basis of CSR.

Search This Blog

Daily Life as Sys Admin