How to Generate a CSR (Certificate Signing Request)

• Twitter
• LinkedIn
• Facebook
• Email

Prerequisites

Before you begin, make sure you have OpenSSL installed on your system. You can check if OpenSSL is installed by running the following command:

openssl version

If OpenSSL is not installed, you can install it using your system's package manager.

Windows

1. Download the OpenSSL installer from the

   OpenSSL website

   .

2. Run the installer and follow the prompts to install OpenSSL on your system. You can choose the default options, or customize the installation as needed.

3. Once the installation is complete, you can use the OpenSSL command-line tools in the "bin" directory of the installation directory.

macOS

1. Open a terminal window.

2. Install Homebrew package manager by running the following command:

   /bin/bash -c "$(curl -fsSL
   https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

3. Once Homebrew is installed, run the following command to install OpenSSL:

   brew install openssl

4. After installation, you can access OpenSSL command-line tools by running the following command:

   openssl
   or

   /usr/local/opt/openssl/bin/openssl

Linux

Ubuntu or Debian

1. Open a terminal window.

2. Run the following command to install OpenSSL:

   sudo apt-get install openssl

CentOS or Fedora

1. Open a terminal window.

2. Run the following command to install OpenSSL:

   sudo yum install openssl

Arch Linux

1. Open a terminal window.

2. Run the following command to install OpenSSL:

   sudo pacman -S openssl

3. After installation, you can access OpenSSL command-line tools by running the following command:

   openssl

That's it! You should now have OpenSSL installed on your system.

Method 1: Using a configuration file

Create a configuration file with the SANs you want to include in the CSR. For example, let's create a file called san.cnf with the following contents:

[req]
req_extensions = v3_req

[v3_req]
subjectAltName = DNS:example.com, DNS:*.example.com

This configuration file specifies that the CSR should include the SANs example.com and *.example.com.

Generate the CSR using the openssl req command, specifying the configuration file with the -config option. For example:

openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config san.cnf

This command generates a CSR for example.com with the SANs example.com and *.example.com.

Method 2: Using command-line options

Generate the CSR using the openssl req command, specifying the SANs using the -addext option. For example:

openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -addext "subjectAltName = DNS:example.com, DNS:*.example.com"

This command generates a CSR for example.com with the SANs example.com and *.example.com.

info

Note that the -addext option was added in OpenSSL version 1.1.1. If you're using an older version of OpenSSL, you may need to use a different option such as -config to specify the SANs.

Method 3: Using a combination of configuration file and command-line options

Create a configuration file with the SANs you want to include in the CSR. For example, let's create a file called san.cnf with the following contents:

[req]
req_extensions = v3_req

[v3_req]
subjectAltName = DNS:example.com, DNS:*.example.com

This configuration file specifies that the CSR should include the SANs example.com and *.example.com.

Generate the CSR using the openssl req command, specifying the configuration file with the -config option and adding additional SANs using the -addext option. For example:

openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config san.cnf -addext "subjectAltName = DNS:foo.example.com, IP:192.0.2.1"

This command generates a CSR for example.com with the SANs example.com, *.example.com, foo.example.com, and 192.0.2.1. The first two SANs are specified in the san.cnf file, and the last two are added using the -addext option.

Method 4: Using OpenSSL configuration file

Edit OpenSSL configuration file /etc/pki/tls/openssl.cnf on your server. Under the [v3_ca] section, add the following line:

subjectAltName = DNS:example.com, DNS:*.example.com

This configuration specifies that the certificate should include the SANs example.com and *.example.com.

Generate the CSR using the openssl req command, specifying the -config option and -new option, like below:

openssl req -new -newkey rsa:2048 -nodes -out example.csr -keyout example.key -subj "/C=US/ST=California/L=San Francisco/O=Example Inc./CN=example.com" -config /etc/pki/tls/openssl.cnf

This command generates a CSR for example.com with the SANs example.com and *.example.com.

In this guide, I have covered four different methods to generate a CSR with SANs using OpenSSL. Choose the method that works best for your use case, and ensure that you test your configuration before deploying it in a production environment.