Creating CSRs

When generating a CSR, you're usually generating a keypair. You can create the private key and the CSR all at once like this:

openssl req -newkey rsa:4096 -keyout server.key -out server.csr

req is openssl's CSR module. -newkey rsa:2048 tells openssl we want to create a new keypair for this CSR, and we we want that to be a 2048-bit RSA key. Along with telling req we want a new key, we tell it to put the key in a file named server.key with -keyout server.key. Finally, tell it we want our CSR in a file named server.csr with -out server.csr.

Alternatively, if this is for a webserver, and you don't want it to have a passphrase, you can add the -nodes option to tell it to not encrypt the private key. If you do this be extra-careful to protect the key with proper file permissions.

However, you may already have a private key and just want to generate a CSR. You can do this with:

openssl req -key server.key -out server.csr

where server.key is where your existing private key resides.

This will then ask you several questions. Here is some guidelines on answering those questions:

Enter PEM pass phrase: This will only happen if you're generating a private key that's encrypted, and is simply asking for the pass phrase you want to use to encrypt the private key.
Country Name: The two-letter code for your country, such as US.
State or Province Name: The full name of your state or province such as California. In some countries there are no states or provinces, and if so, leave this blank.
Locality Name: The full name of your city, or absent a city, your county, jurisdiction, or area.
Organization Name: This is rather self-explanitory. This is the name of the company or group.
Organizational Unit Name: This is optional, but in the case of a large company, this is the department or division.
Common Name: This is the host name of your system for SSL Server certificates. If you are not making an SSL server certificate, this should describe who or what the certificate is used for in a short phrase.
Email Address: I can't imagine this needs explanation. However, it's worth seeing data on the SubjectAltName extension for more information on how certificates deal with email addresses.

You may also be prompted for extra attributes such as challenge password or company name, and these can generally be ignored/left blank.

At this point, you should have generated a CSR (and possibly a private key). You can now send this CSR to the CA of your choice to be signed.

Default Values

If you would like to have some of these filled in with your information by default, find the [ req_distinguished_name ] section of your openssl.cnf ( you can modify the system-wide one, or if you prefer, make your own copy and reference it with -config openssl.cnf) and change the _default lines. You can also add _default lines for attributes that don't exist. For example, in my openssl.cnf, I have a localityName line but not a localityName_default - but if I add one, it'll work. You must also ensure that under [ req ] you have distinguished_name = req_distiguished_name set (it is default in most distros). For more information on openssl's configuration, see my openssl configuration page.

Adding Extensions

You can also add requested extensions to your CSR by scrolling down to the [ v3_req ] section of your openssl.cnf and adding extensions and their values as you see fit. You must also make sure that under the [ req ] section of your openssl.cnf you have req_extensions = v3_req set, or your changes to the [ v3_req ] section won't have any effect. See my my extensions page and openssl configuration page for more details on those subjects.