• A CSR or Certificate Signing Request is an encrypted block of text that is used to request a digital certificate from a Certificate Authority (CA).
  • A CSR must be created on the server which will host the digital certificate.
  • A key pair (public/private keys) must be created before or during the creation of a CSR.
  • A CSR will contain the public key and other information provided for the certificate (Organization Name, Department Name, etc).
  • As a key pair is used in the creation of a CSR, the digital certificate provided by a CA upon receipt of your CSR must be used along with the private key used in the creation of the CSR. If the private key is lost, then the digital certificate will be useless.

Example CSR (base-64 PEM format):

-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCQ0DAYDVQQLFAVUSSZTUzEZMBcGA1
DggEPADCCAQoCggEBAPBz3Nl03nLAj766mJ1+OUjVTX9Sczeaau1s6Cdd2Wd
saddad342sdad32dBAPBz3Nl03nLAj766mJ1+OUjVTX9SczeS7u1s6CtHrmw
DggEPADCCAQoCggEBAPBz3Nl0asd21ddadsadOUjVTX9Scz4SD2d2ddadad1
DggEPADCCAQoCggEBAPBz3Nl03nLAj766mJ1+OUjVTX9Sczeau1s6CtUJ2kd
DggEPADCCAQoCggEBAPBz3Nl03nLAj766mJ1+OUjVTX9Sc527FGTDS72kkkd
-----END CERTIFICATE REQUEST-----

Given below are three methods to generate a CSR using openssl:

METHOD 1: Create a CSR and a new private key

Assuming you start from scratch, use the following command to create a CSR and a private key:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Refer the example in the screenshot below:

openssl-newcsr

METHOD 2: Create a CSR for an existing private key

If you wish to use an existing private key, use the following command to create a CSR with it:

openssl req -out CSR.csr -key privateKey.key -new

Refer the example in the screenshot below:

openssl-oldkey-newcsr

METHOD 3: Create a CSR for certificate renewal (using an existing certificate and an existing private key)

If you wish to create a CSR for certificate renewal and want to avoid re-entering certificate details, use the following command:

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

Refer the example in the screenshot below:

openssl-oldkey-oldcert-newcsr

NOTE: The CSR file created using METHOD 3 will contain certificate and certificate request details. In this case, you must extract only the certificate request (text from and including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– and submit the extract to your CA.

VN:F [1.9.22_1171]
Rating: +3 (from 3 votes)