How to create a CSR

How to create a CSR


Whenever you need to have an SSL certificate, you will always need to create a CSR (Certificate Signing Request) in order to get your certificate signed (and thus trusted) by a CA (Certificate Authority).
Say for example you are building and hosting your own website, for which you bought a domain. In order for your website to get that nice looking padlock that indicates HTTPS traffic.

Now it’s important to note that you can also just self-sign a certificate. However since you are not a trusted CA, your certificate will work but it will not show up as trusted. Where browsers will give you an ugly warning message saying that this certificate isn’t trusted, which you probably don’t want users to have to deal with.

First things first

OpenSSL is one of the most common used tools to manage and create certificates, because of its wide support, I will also be using it.

First and foremost, before you can create a CSR, you have to know for which domain you plan on enabling SSL for. I will be using the example from the introduction, my very own hosted website. All it needs now is a (DNS) name, let’s say I want a certificate for my website “”. Because we want to use the certificate to authenticate the identity of our server (server certificate), we have to make sure the CN (Common Name) that we pass to the certificate matches with our DNS name.

I will talk about 2 different ways of creating a CSR:

Create your Certificate Signing Request

You can set the following information when creating your CSR:

  • Country Name (2 letter code): BE
  • State or Province Name (full name): Antwerpen
  • Locality Name (eg, city) []: Kontich
  • Organization Name (eg, company): i8c
  • Organizational Unit Name (eg, section) []: Integration
  • Common Name:
  • Email Address:
  • A challenge password:
  • An optional company name:

OpenSSL creation wizard

The following command creates a CSR (which contains your public key certificate) and the associated private key which is very important to keep securely:

This command will prompt for a password to encrypt the private key. This private key will be needed by the webserver to decrypt the traffic. I strongly recommend to use a strong autogenerated password with tools such as LastPass or Bitwarden.

If you do not want a password for the private key, you can add -nodes to the above command and it will skip private key encryption.

After running the command, you will be prompted several questions by the OpenSSL wizard. These questions are regarding the contents of the CSR, which I briefly mentioned above.

Alternative: based on a template

This method is by far the easiest when you have to create CSR’s for several (sub)domains. It consists of using a template file in which you can preset the properties of your CSR, while afterwards the only thing you have to change is the CN (Common Name) part of the template.

  • First create the following template.cnf file:
  • You can add multiple alternative names by incrementing the DNS.#, up to 99 extra names:
  • Open a terminal in the same directory and use the following command to generate your CSR and (encrypted) private key. Replace the values between the brackets:
  • Repeat these steps for each domain you want to create a CSR for and thus eventually a signed certificate.

Now, off to get these certificates signed! Which is an entirely different process for which I might write a separate blog for. I hope you found this helpful in your quest of generating certificates via a CSR and eventually getting them signed.

Author: Piet Jacobs

Working at i8c

i8c is a system integrator that strives for an informal atmosphere between its employees, who have an average age of approx 30 years old. We invest a lot of effort in the professional development of each individual, through a direct connection between the consultants and the management (no multiple layers of middle management). We are based in Kontich, near Antwerp, but our customers are mainly located in the triangle Ghent-Antwerp-Brussels and belong to the top 500 companies in Belgium (Securex, Electrabel, UCB, etc…).

Quality Assurance

i8c is committed to delivering quality services and providing customer satisfaction. That’s why we invested in the introduction of a Quality Management System, which resulted in our ISO9001:2000 certification. This guarantees that we will meet your expectations, as a reliable, efficient and mature partner for your SOA & integration projects.

i8c - ISO9001-2015