How to create a CSR using openssl

A CSR or Certificate Signing Request is an encrypted block of text that is used to request a digital certificate from a Certificate Authority (CA).
A key pair (public/private keys) must be created before or during the creation of a CSR.
A CSR will contain the public key and other information provided for the certificate (Organization Name, Department Name, etc).
As a key pair is used in the creation of a CSR, the digital certificate provided by a CA upon receipt of your CSR must be used along with the private key used in the creation of the CSR. If the private key is lost, then the digital certificate will be useless.

Example CSR (base-64 PEM format):

Given below are three methods to generate a CSR using openssl:

METHOD 1: Create a CSR and a new private key

Assuming you start from scratch, use the following command to create a CSR and a private key:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Refer the example in the screenshot below:

METHOD 2: Create a CSR for an existing private key

If you wish to use an existing private key, use the following command to create a CSR with it:

openssl req -out CSR.csr -key privateKey.key -new

Refer the example in the screenshot below:

METHOD 3: Create a CSR for certificate renewal (using an existing certificate and an existing private key)

If you wish to create a CSR for certificate renewal and want to avoid re-entering certificate details, use the following command:

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

Refer the example in the screenshot below:

NOTE: The CSR file created using METHOD 3 will contain certificate and certificate request details. In this case, you must extract only the certificate request (text from and including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– and submit the extract to your CA.

Rating: +3 (from 3 votes)

How to create a CSR using openssl

Leave a Reply Cancel reply