Generate SSL key and CSR with OpenSSL

It is really easy to generate SSL key and CSR using OpenSSL, and the next several steps will guide you trough the process.

If you are on Linux server, OpenSSL can be downloaded from here: OpenSSL source – or you can use your package management software like YUM install or apt-get. For Windows users, you can use: Win32OpenSSL.

Once you have OpenSSL installed, we can generate SSL certificate key

The following will appear:

The above command will generate SSL key using ‘-rand’ option with few big files for sources and 2048 encryption. The reason of using some big files with ‘-rand’ option is because there are no absolute random generation with computers – but that is different story. Recently the minimum allowed encryption by the SSL issuers is 2048 bits so make sure you will generate your key with this number or with 4096 bit SSL key.

There is another command which can be used :

After executing it, the output will be:

When you generate SSL key with this command will require password, which is good when the key is transported, but once set on a Web Server it will ask for a password every time it is restarted. If you have chosen this method, the next command will remove the SSL key password.

If you open the SSL key file it should be similar to this one:

Now to generate CSR from a key use OpenSSL with this options:

You will be asked few questions for the certificate:

When you are ready with the CSR information, and you open the CSR file, it should look similar to this:

Now provide the CSR to a certificate issuer and wait for the SSL approval message.

Most SSL issuers have service that relies upon the Subscriber or the Subscriber’s authorized administrator to approve all certificate requests for all hosts in the domain. It is important that you will select a correct authorized administrator email. By selecting an authorized administrator, you warrant to the certificate issuer that the individual is authorized to approve the request. The request for SSL server certificate will not be processed beyond this point if you select an incorrect email address.
This part is important and it is a part of the SSL certificate issue process. Its purpose is to avoid someone else to have a certificate issued for your domain.

Be peppered with the following allowed e-mails:
Registered Domain Contacts – This is when the SSL issuer has successfully obtained domain contacts for this domain from the domain registrar. This will be the

Alternate Approval Email Addresses can be used, but you must make sure that such e-mail account has been set up and is available before you provide the CSR, or the approval email will not be delivered.

Level 2 Domain Addresses as bellow are allowed:

Level 3 Domain Addresses as bellow are allowed:

Once you have received and approve the SSL certificate, it will be sent to you and you can install it on your web server.


Filed Under: SecuritySSLTutorialsWeb servers

Anthony Gee About the Author: Anthony G. is an IT specialist with more than 9 years of solid working experience in the Web Hosting industry. Currently works as server support administrator, involved in consultative discussions about Web Hosting and server administration. One of the first writers in the website, now writing for Free Tutorials community - he is publishing tutorials and articles for the wide public, as well as specific technical solutions.

Comments (1)

  1. Anthony Gee Roky says:

    Another elegant way I know is that line, creating key and csr in the same time:

    openssl req -new -newkey rsa:2048 -nodes -keyout -out

Leave a Reply