Generate SSL key and CSR with OpenSSL

It is really easy to generate SSL key and CSR using OpenSSL, and the next several steps will guide you trough the process.

If you are on Linux server, OpenSSL can be downloaded from here: OpenSSL source – or you can use your package management software like YUM install or apt-get. For Windows users, you can use: Win32OpenSSL.

Once you have OpenSSL installed, we can generate SSL certificate key

  1. openssl genrsa -rand /var/log/messages:/var/log/messages.1:/var/log/messages.10.gz -out 2048

The following will appear:

  1. 2199 semi-random bytes loaded
  2. Generating RSA private key, 2048 bit long modulus
  3. .+++
  4. ………………………………………………………………………………………………………………..+++
  5. e is 65537 (0×10001)

The above command will generate SSL key using ‘-rand’ option with few big files for sources and 2048 encryption. The reason of using some big files with ‘-rand’ option is because there are no absolute random generation with computers – but that is different story. Recently the minimum allowed encryption by the SSL issuers is 2048 bits so make sure you will generate your key with this number or with 4096 bit SSL key.

There is another command which can be used :

  1. openssl genrsa -des3 -out 2048

After executing it, the output will be:

  1. Generating RSA private key, 2048 bit long modulus
  2. …………………………………………..+++
  3. ………………………………………………..+++
  4. e is 65537 (0×10001)
  5. Enter pass phrase for
  6. Verifying – Enter pass phrase for

When you generate SSL key with this command will require password, which is good when the key is transported, but once set on a Web Server it will ask for a password every time it is restarted. If you have chosen this method, the next command will remove the SSL key password.

  1. openssl rsa -in -out

If you open the SSL key file it should be similar to this one:

  2. MIIEowIBAAKCAQEAxw/rAvWL8H2T+y9ysEZ+dimX0tcnmOLpsKiw+y8UxJL7xmij
  3. tK/mQuXmlKsAKX28V3NdgWf0EDGkax3TgbAArt8KouynTZs1cP/0hC1wmyC7Y285
  4. NXwSbi/RNZG1thwUg5m0JFrwExPtC6yFz5dPUb/RpwqZ5gRlPSfdK8vC3DVgBwcR
  5. B2cr7TEy9G98UQEg1ZphHb+8BN8huhy5h4CeHvGtqAdRe9u7o8kP1ZJ2sTsfQjW8
  6. WDQp+DvZXMC20rv+TmE2OsR3qsc9ytrpcZEJsMaXeInhSj64jvI5aS9B4jNnEHK2
  7. Km/wGqqZ9sbg3a6YQaLY+oa+04t40uZB+/AEAwIDAQABAoIBAGeJ+AtJ/MfSCa6V
  8. N2pIwG5lo/qevpHfNP4WQDfmfT7h1OOWec/5ziLtwcmCSEtMgzJZZ0Fv+JqTt5mf
  9. oevKyBAtIzMrNLpBCMMF3wEBQZjupYlKyM7xAgUeCgt7BrD6WhE5WWGviz/hFWMF
  10. EXSwlylGRJ5F/VaO4rm0im3FRk2S6pu1aV2MXDGBMV6bTM2FblJ47wenBY2zy8YC
  11. tLkG5EoFiLH8fSvyLsiqEaGANXs+sBLFNcokDQVhuwmZcl8h4eUrPW/fB5wzyM3z
  12. 5SH8K8Gx2AcfU5ovwu+YV2vIDy5hy98iJwTsG13YWTruB8nDhQ0DcAqRAdkCJdPb
  13. f1Utn0ECgYEA64BDx8ynjE3fVMPCpHyMGtmX9r8hCW3W2Pc78VFvaX8UfxaqFHrH
  14. vMfaJrjCaI9Kebf80eT/MgF7r0wMPjuJN/TlOdTzpvcrWBDD3ipcnv6rvGNoYoYk
  15. 7ihPleTvqLyD3albpT1luXtPbMZmPTogpY4ycuWcuaC2bis8XpMdKl0CgYEA2GOt
  16. FBjCrKz6QABlYfJ68UHyqc85XS5c/FOAZMBInonND2PYSbzkc7Fj7cWfhLRDWgI4
  17. 2f43vRMtgaL3MJxVUB6grNQmEoZX6NaIVNTsVoZihJ7WrOVcFItRx1pv0e8vnCP+
  18. 7Yu/SqyqfSFsVZjGffY+fpv3NGf5CcTK2SF4wd8CgYAJUkBcjisrkIGAd2ci35Mk
  19. FOzA5XvHRcO1PsPun0yLnm4PQbRlrx5syHRICBQZ02IdQz0MicXYEtr0a0wowm6B
  20. +n2ANn+WYj4i9DbsejzERkxB3qVpEOoxSwMraa5avWtywJtSBQYbu1e/dHLjhYN5
  21. ShGRHql/Z28RGUEAdU44OQKBgQDCqDALkxaVFWptZq3NBb95BnVQMp0M6Oc3CbrH
  22. Z34sOBRi0tO/yY/NT3dwbsXIMA0ijDsuRxVHHlhidQJfFVNdpp+tuY6iPX4Zc9vi
  23. TERqtassWGMP16gUxxuC9SUAOmWe1Xa/pGYpu9gGhqmY+r0clQa1CILB/wI1unUs
  24. DINACwKBgAPLLSKkbwB8xS86F8ukmmLTHSaQJrVl5CMUdJDaz+6tnjwuuiNBjgiV
  25. 3/d0Kd8BKUsnJyHU2zHVtW1RhrvWLJAL2kBFASTnQTb3Ggw26fnIhz1nevu+e0AM
  26. shzXKHZVqH6gnUNdOTIZIMypdp5cDqlLR80U0quD+/K3CHB032p3

Now to generate CSR from a key use OpenSSL with this options:

  1. openssl req -new -key -out

You will be asked few questions for the certificate:

  1. You are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a Distinguished Name or a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. —–
  8. Country Name (2 letter code) [AU]:US
  9. State or Province Name (full name) [Some-State]:California
  10. Locality Name (eg, city) []:San Diego
  11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Freetuts Ltd.
  12. Organizational Unit Name (eg, section) []:Security
  13. Common Name (eg, YOUR name) []
  14. Email Address []
  16. Please enter the following 'extra' attributes
  17. to be sent with your certificate request
  18. A challenge password []:
  19. An optional company name []:

When you are ready with the CSR information, and you open the CSR file, it should look similar to this:

  4. BgNVBAsTCFNlY3VyaXR5MSQwIgYDVQQDExt3d3cuZnJlZXR1dG9yaWFsc3N1Ym1p
  5. dC5jb20xLDAqBgkqhkiG9w0BCQEWHWFkbWluQGZyZWV0dXRvcmlhbHNzdWJtaXQu
  7. sEZ+dimX0tcnmOLpsKiw+y8UxJL7xmijtK/mQuXmlKsAKX28V3NdgWf0EDGkax3T
  8. gbAArt8KouynTZs1cP/0hC1wmyC7Y285NXwSbi/RNZG1thwUg5m0JFrwExPtC6yF
  9. z5dPUb/RpwqZ5gRlPSfdK8vC3DVgBwcRB2cr7TEy9G98UQEg1ZphHb+8BN8huhy5
  10. h4CeHvGtqAdRe9u7o8kP1ZJ2sTsfQjW8WDQp+DvZXMC20rv+TmE2OsR3qsc9ytrp
  11. cZEJsMaXeInhSj64jvI5aS9B4jNnEHK2Km/wGqqZ9sbg3a6YQaLY+oa+04t40uZB
  13. bcXborvJXbU0AxJwFlHkMnHd5kCzX7lxWnca7KRTbyYsWgE8gPyTgdajPp7iCdpa
  14. L5lIciGtlnhOo6AXvKG8SV92En37YBY5geNDRYFbyQuLkC2lXKdTuHUoxck4QKPV
  15. 57nHQzckCc2bma8sbC0evo2upxt2XK3yGWB+PQHF1GlkXg1emx/Xmen/7DMoudbR
  16. tcBY1EwCqRfoYT3dieYII9+4NwmZ3OCPHDNx68k8jBatY5EWIMxMUCZv7hRwUPoX
  17. WFC7+kIAheXb/eul6kbIW0olTblXH+jPGUPwh2MSIEXKZTubpQLeZP/fWTuiWao=

Now provide the CSR to a certificate issuer and wait for the SSL approval message.

Most SSL issuers have service that relies upon the Subscriber or the Subscriber’s authorized administrator to approve all certificate requests for all hosts in the domain. It is important that you will select a correct authorized administrator email. By selecting an authorized administrator, you warrant to the certificate issuer that the individual is authorized to approve the request. The request for SSL server certificate will not be processed beyond this point if you select an incorrect email address.
This part is important and it is a part of the SSL certificate issue process. Its purpose is to avoid someone else to have a certificate issued for your domain.

Be peppered with the following allowed e-mails:
Registered Domain Contacts – This is when the SSL issuer has successfully obtained domain contacts for this domain from the domain registrar. This will be the

  1. Registered Domain Admin contact
  2. Registered Domain Tech contact

Alternate Approval Email Addresses can be used, but you must make sure that such e-mail account has been set up and is available before you provide the CSR, or the approval email will not be delivered.

Level 2 Domain Addresses as bellow are allowed:


Level 3 Domain Addresses as bellow are allowed:


Once you have received and approve the SSL certificate, it will be sent to you and you can install it on your web server.


Filed Under: SecuritySSLTutorialsWeb servers

Anthony Gee About the Author: Anthony G. is an IT specialist with more than 9 years of solid working experience in the Web Hosting industry. Currently works as server support administrator, involved in consultative discussions about Web Hosting and server administration. One of the first writers in the website, now writing for Free Tutorials community - he is publishing tutorials and articles for the wide public, as well as specific technical solutions.

Comments (1)

  1. Anthony Gee Roky says:

    Another elegant way I know is that line, creating key and csr in the same time:

    openssl req -new -newkey rsa:2048 -nodes -keyout -out

Leave a Reply