Skip to main content

ELL Blog

How to Generate a CSR Using openssl

openssl req -newkey rsa:4096 -keyout -out -config .\
& 'C:\Program Files\Git\usr\bin\openssl.exe' req -newkey rsa:4096 -keyout -out -config .\

Here is a pretty and succinct guide on creating a Certificate Signing Request (CSR).

For the tutorial, replace all { Sample value } with your values.


Generating a Key

This avoids entering passphrases when generating the CSR.

openssl genpkey -algorithm ed25519 > { }.key

The filename for me is

Create a CSR Config File

Do this once and reuse forever.

Filename: { }.csr.cnf

[ req ]
prompt                      = no
distinguished_name          = req_distinguised_name
[ req_distinguised_name ]
countryName                 = { CA }
stateOrProvinceName         = { Ontario }
localityName                = { Toronto }
organizationName            = { LeNerva Inc. }
commonName                  = { }
emailAddress                = { }
subjectAltName              = @alt_names
DNS.1                       = { }
DNS.2                       = { }

Generating the CSR

openssl req -new -out { }.csr -key { }.key -config { }.csr.cnf

Read CSR as a Human

openssl req -in { }.csr -text -nout


Name Summary
CSR Certificate Signing Request
SAN Subject Alternative Name


How to use Certificates from the Certificate Authority

Combining the Certificate

Sentigo sends us a zip file with the domain certificate and the authority certificate “bundle” as well. We however, want our servers to the send the full certificate chain, otherwise network requests from non-browsers will fail to verify the SSL (speaking from experience using the requests module on my website). Note that a browser will not report any errors as they are “smart” enough to fill in the gaps as a lone certificate can be implied to be signed by a certificate authority. Don’t ask me how it really works as I am speaking from a memory of me reading the rationale two or three years ago.

cat domain.crt > domain.chain.crt

To manually do this: Create a new file chain.crt which is nothing but the contents of the domain.crt file followed by the contents of the ca-bundle file. If you are confused, you can look at my website’s github where I have all three files located.

Unencrypted Private Key

Finally, you can print out the private key like so

openssl rsa -in domain.key
& 'C:\Program Files\Git\usr\bin\openssl.exe' rsa -in domain.key