The certificate signing request (CSR) file is used to add personal information to the public certificate, such as your company name and location. The CSR also contains a reference to the private key.

There are two ways to go about creating the CSR file. You can either enter the information into an interactive prompt, or you can create the CSR file from a config file.

Interactive Prompt Method

The req option with the -new -key and -out flags are used to create the CSR file. In this scenario, you must have already created the private key. If you have not yet created the private key, refer to our article on creating a private key. There will be a series of prompts, asking for personal information, such as your organization name and location.

openssl req -new -key example.com.key -out example.com.csr

Configuration File Method

You can create a configuration file that will be used for the creation of the CSR file, such as example.com.config. Here is an example of what you would have in the configuration file. This assumes that the private key file is password protected, hence the inclusion of the input_password (for the private key) and output_password (for the CSR file) options.

AVOID TROUBLE

The commonName (CN) will almost always need to match the DNS hostname of the service the certificate is being used for. For example, if the certificate will be used for SSL / HTTPS on the web server producing www.freekb.net, then the common name (CN) will need to be www.freekb.net or *.freekb.net.

[ req ]
default_bits       = 2048
default_days       = 365
default_md         = sha256
default_keyfile    = example.com.key
input_password     = foo
output_password    = bar
prompt             = no
distinguished_name = dn

[ dn ]
countryName                    = US
stateOrProvinceName            = Wisconsin
localityName                   = Appleton
organizationName               = FreeKB
organizationalUnitName         = IT
commonName                     = www.freekb.net
emailAddress                   = admin@freekb.net

You can then use the -config option to create the CSR file. The -key option is optional. You would use the -key option to use an existing private key. If the -key option is not used, the follow command will generate a new private key.

openssl req -new -config example.com.config -key example.com.key -out example.com.csr

If you want to include Subject Alternative Names (SAN), you could do something like this.

[SAN]
subjectAltName=IP:10.22.51.98,IP:172.31.19.227,DNS:example.com,DNS:www.example.com

[ req ]
default_bits       = 2048
default_days       = 365
default_md         = sha256
default_keyfile    = example.com.key
input_password     = foo
output_password    = bar
prompt             = no
distinguished_name = dn

[ dn ]
countryName            = US
stateOrProvinceName    = Wisconsin
localityName           = Appleton
organizationName       = FreeKB
organizationalUnitName = IT
commonName             = www.freekb.net
emailAddress           = admin@freekb.net

And then include the -reqexts option followed by the key in the config file (SAN in this example).

openssl req -new -key example.com.key -out example.com.csr -reqexts SAN -config example.com.config

Validation

Here is how you can view the content of the CSR file.

~]# openssl req -in example.com.csr -text -noout -verify
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Wisconsin, L=Appleton, O=FreeKB, OU=IT, CN=mail.freekb.net/emailAddress=admin@freekb.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                IP Address:10.22.51.98, IP Address:172.31.19.227, DNS:example.com, DNS:www.example.com
    Signature Algorithm: sha512WithRSAEncryption