Generating a certificate signing request (CSR)


My notes on generating private keys and CSR’s. (that I never remember)

Used with, for example, a new HTTPS server.


  • subjectAltName must always be used (RFC 2818, 1. paragraph)
  • CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software.
  • As of chrome 58+ this is why you will have problems!!!! (So just use:

Simultaneous key and request generation

# openssl req -newkey rsa:4096 -nodes -keyout -out -days 365

N.B. -nodes places an unencrypted copy of the private key in the server’s key file. This is typically used so that the sysadmin doesn’t need to type in the password when restarting apache; for example.

!!!You should secure this with restrictive permissions at a minimum!!!

Answer the prompts noting: 1. CN or Common Name section is the name of the server (e.g. 2. extra attributes (namely challenge password and optional company name) can be ignored by using the enter (return) key

Setting permissions on the new key

# chown root:root
# chmod 0400

Generate a CSR using an existing key

Used, for example, to sign your own intermediate CA certificate

# openssl req -new -config openssl.cnf -key private/ -out -days 1825

N.B. since you’re specifying the openssl.cnf, all prompts should all be defaulted as desired.

Request signing

Now send off the server.csr to your CA.

N.B. once sent, the CSR is no longer needed.

Prepare a PKCS#12 file

Combines the public and private key in an encrypted format (symmetrical) for use with email clients, etc.

Before 2011–02–19 (needs the CA cert)

# openssl pkcs12 -export -in my.crt -inkey my.key -in root.pem -out my.p12

On or after 2011–02–19 (doesn’t need CA cert)

# openssl pkcs12 -export -in my.crt -inkey my.key -out my.p12

See Also


Like what you read? Give Stefan Schwoegler a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.