OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. OpenSSL is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.
For Generating CSR in your server using openssl, first you should download the openssl software from http://www.openssl.org/source.
Once downloaded install the software on your server machine.
The default installation path will be C:\Program Files\OpenSSL-Win64 in case of windows.
Once the software is installed go to bin folder inside the openssl folder. (C:\Program Files\OpenSSL-Win64\bin.)
In bin folder you will find openssl.exe file.
Right click on openssl.exe file and select run as administrator option.
A new command prompt window with openssl will be opened:
Run the following command:
openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr
The above command will create a new key and a CSR simultaneously in a single command.
Note: IF you are opening openssl in windows by running it as administrator, then openssl tag will be already appearing in command prompt and you don’t need to use openssl again in the beginning of command. In that case you may use the following command:
req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr
Let’s break the command down:
- Openssl is the command for running OpenSSL.
- Req is the OpenSSL utility for generating a CSR.
- -newkey rsa: 2048 tells OpenSSL to generate a new 2048-bit RSA private key. If you would prefer a 4096-bit key, you can change this number to 4096
- -keyout PRIVATEKEY.key specifies where to save the private key file.
- -out MYCSR.csr specifies where to save the CSR file.
- With these last two items, remember to use your own paths and filenames for the private key and CSR, not the placeholders.
After typing the command, press enter. You will be presented with a series of prompts.
- First create and verify a pass phrase. Remember this pass phrase because you will need it again to access your private key.
- You will now be prompted to enter the information which will be included into your CSR. This information is also known as the Distinguished Name, or DN. The Common Name field is required by SSL.com when submitting your CSR, but the others are optional. If you would like to skip an optional item, simply type enter when it appears:
- The Country Name (optional) takes a two-letter country code.
- The Locality Name field (optional) is for your city or town.
- The Organization Name field (optional) is for the name of your company or organization.
- The Organizational Unit Name (optional) is for your department or section.
- The Common Name enter the FQDN (fully-qualified domain name) you want to protect. For instance, yoursite.com. If you have a wildcard certificate, add an asterisk (*) in front of your domain name (e.g., *.yoursite.com)
- Email Address (optional)
- The Challenge Password field is optional and can be skipped as well.
Upon completion of this process, you will be returned to a command prompt. You will not receive any notification that your CSR was successfully created.
We hope this guide helped you with this easy process. If you are unable to use these instructions, Acmetek recommends that you contact either the vendor of your software or the hosting organization that supports it.