OpenSSL: How to generate a key and certificate request

If you’re wanting to start up a web server or perhaps just want to add SSL capabilities to a pre-existing website, this quick tutorial may be useful to you. In a Unix environment, generating a key and certificate request or .key and .csr with OpenSSL is actually quite simple and stress-free. OpenSSL is a cryptographic toolkit that uses SSL and TLS protocols, so this is what we will be using.

Note: This tutorial was made using Ubuntu Server.

Installing OpenSSL

If you do not already have OpenSSL, you can quickly install it with:

sudo apt-get install openssl

Generating a Key and Certificate Request

With that out of the way, let’s move on to making the key and Certificate Signing Request (CSR.) This can all be done with one command. It’s a doozy, but I’ll explain each part of the command so you’ll know what to use each bit for in the future.

Head back to your terminal and type in the following (change the bold parts to match your details):

openssl req -new -newkey rsa:2048 -nodes -out your_csr_name.csr -keyout your_key_name.key -subj "/C=your_Country/ST=your_state_or_province/L=your_locality_or_city/O=your_organization/OU=your_organizational_unit/CN=your_common_name"

Let’s say your website is, you live in Orlando, Florida, and work in IT at Disney. You want your CSR name to be myCSR and your key name to be JohnsNewKey. You might put:

openssl req -new -newkey rsa:2048 -nodes -out myCSR.csr -keyout JohnsNewKey.key -subj "/C=USA/ST=Florida/L=Orlando/O=Disney/OU=IT/"

Now let’s get into the nitty-gritty of what each of the above commands means:

  • req – This is the certificate request and certificate-generating utility
  • -new – This flag will cause a new certificate request to be generated from the request utility. In most cases, this will cause a prompt asking you to fill in some values, but it won’t do that this time around.
  • -newkey – Still utilizing the request utility, this will cause a new private key to be generated.
  • -nodes – Here we’re telling the request utility that if a private key is created, do not encrypt it.
  • -subj – This will set the subject name for your request. This is why the -new flag above won’t prompt you for values.
  • rsa:2048 – This is for our key. Here we’re specifying that we want an RSA key with a size of 2048 bits.

Avoiding an SSL Common Name Mismatch

Your CN ( in our above example) MUST be exactly what your web address will be when you connect to the site. When a user types in your URL, the web browser will then check that the domain name in the URL matches the domain name(s) listed in the certificate. If there is a mismatch, the browser will display a warning message to the user. To avoid issues, one option is to update your certificate with a wildcard to cover multiple subdomains.

Using Your Output

Once you run your command, you will have two files: a .key file and a .csr file. You will need to submit your .csr file to your Certificate Authority (CA) and they will create a valid certificate (a .crt) for you. You will now have your valid certificate!

Leave a Comment