Knowledge Base
How to Generate a CSR Using OpenSSL (Apache with mod_ssl, NGINX, OS X)
Overview
By the end of this guide, you will have generated a private key and a Certificate Signing Request (CSR) with OpenSSL, ready to paste into the Sectigo enrollment form. The CSR is a file containing your certificate application details and public key. You will run an OpenSSL command, enter your Distinguished Name (DN) details, protect the private key, and copy the finished CSR. The procedure applies to web servers such as Apache with mod_ssl, NGINX, and OS X.
Prerequisites
-
OpenSSL installed on your server or computer.
-
Access to a command line or terminal.
-
Your certificate details ready: Common Name (the fully qualified domain name), organization, locality, and country.
Steps
-
Generate the private key and CSR.
Run the following command. It creates a 2048-bit RSA key (myserver.key) and a CSR (server.csr):
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
This creates two files: the private key (myserver.key) and the CSR (server.csr).
⚠ Protect the private key: do not disclose myserver.key to anyone, and back it up — there is no way to recover it if it is lost. (With -nodes, the key is not encrypted with a Data Encryption Standard (DES) passphrase.)
-
Enter your Distinguished Name (DN) details.
OpenSSL prompts you for the details to include in the CSR. For any field that shows a default in [brackets], enter . to leave it blank. For example:
Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Yorks
Locality Name (eg, city) []: York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
Email Address []:
-
Use the web server's fully qualified domain name as the Common Name (CN) — for example, mysubdomain.mydomain.com.
-
You can leave Email Address, the optional company name, and the challenge password blank for a web server certificate:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
-
(Alternative) Generate the CSR in a single command.
Instead of entering the details interactively, supply them with the -subj option:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr \
-subj '/C=GB/ST=Yorks/L=York/O=MyCompany Ltd./OU=IT/CN=mysubdomain.mydomain.com'
-
Submit the CSR.
Open server.csr in a text editor, copy the entire contents, and paste it into the Sectigo online enrollment form when prompted.
Similar Questions
-
How do I generate a CSR with OpenSSL for Apache or NGINX?
-
How do I create a CSR and private key in a single OpenSSL command?
-
What values should I use for the Common Name and Distinguished Name in a CSR?
Need assistance?
Contact our team for help with your purchase or issuing your certificate.