How to generate a CSR for Apache/Nginx with OpenSSL

So you have decided that you want to install a certificate on your Apache or Nginx server? Great idea! Let's start then.

First of all, let's wrap up the steps that you should perform to get a certificate working on your server: 1. Generate a CSR (certificate signing request) and private key code pair on the server. 2. Apply the generated CSR code to activate the purchased certificate on your SSL certificate provide side. 3. Validate the certificate on Certificate Authority or certificate provider side (depends on the certificate type and your CA/provider). 4. Install the certificate on the server.

There are also a few certificate types you should be aware of:

1. Domain validation (DV) certificates. Most commonly used certificates which will show only domain name, validity period and CA name in them. You will need to validate only your domain in order to get one.
2. Organization validation (OV) certificates. They are a bit more difficult to get and will show your organization details as well all the features of DV certificates. You should have a legally registered company and perform a callback process with Certificate Authority to get the certificate issued.
3. Extended validation (EV) certificates. These certificates are most complicated to get and the only ones which will show a green bar before your domain name in browser's address bar. You need to have a legally registered organization and provide some documents to CA. Hard to get, but if you really need it — it's worth the work.

Also, we can divide SSL certificates on the next categories as well:

1. Single-domain certificates. In most cases such certificates will secure the main (bare) domain and it's www subdomain. For example: yourdomain.com and www.yourdomain.com. However, some Certificate Authorities support only one exact domain name, so if you activate the certificate for yourdomain.com, it will only secure this domain and will not secure www subdomain. You can also activate a certificate for a custom subdomain, for instance sub.domain.yourdomain.com.
2. Multi-domain certificates, sometimes called as UCC (Unified Communications Certificate). This certificate can secure several different domain names and, depending on CA, can hold up to 25 or 100 domains in it. You can secure different domains, subdomains and mix them up as you want.
3. Wildcard certificate. Such certificates can secure a domain name it was activated for and all one level subdomains of the domain name. For example: if you activate the certificate for *.yourdomain.com, it will secure yourdomain.com (the main domain name) and all first level subdomains like sub1.yourdomain.com, sub2.yourdomain.com etc. Just keep in mind that such certificates will not secure second level subdomains like sub1.sub2.yourdomain.com as well, so only one subdomain level can be secured.

It sounds complicated, but actually it is not that difficult. Let's begin with the CSR. We recommend generating the certificate request on the server and not using any online tools for security reasons.

You need to connect to your VPS via SSH. Then go to your home directory with this command:

cd ~

Next, run the following command to generate the CSR and the private key files:

openssl req -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Here yourdomain.csr stands for your CSR file and yourdomain.key stands for the private key file.

!!ATTENTION!! Do not delete the private key! It will be required to install the certificate on the server, without this file the certificate will not be able to work at all. We recommend saving it to any non-public directory on our server and backin it up on your local machine.

Once the command is executed, you will be asked a few questions. Here are the example answers:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Own Company
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:yourdomain.com
Email Address []:mail@yourdomain.com

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

Let's take a detailed look at these. The address details you specify in the certificate request will not be used for the certificate (address for OV and EV certificates is asked separately). We also recommend leaving the extra fields (password, optional company name) empty as you may receive some issues during certificate activation process with some Certificate Authorities.

As for the common name of the certificate, you need to use the exact fully qualified domain name you want to secure with the certificate. Do not use your full name or the name of your organization, only domain name should be used.

So basically the certificate request is an unsigned certificate file, which contains an open key, and the private key has, surprisingly, the private key in it. They work in pair via asymmetric encryption algorythm.

In order to open the CSR you can use any text editor or cat command. We prefer using nano or cat:

nano yourdomain.csr

or

cat yourdomain.csr

Just select the whole code with -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- headers and send it to your CA/certificate provider to get the certificate activated.

Small tip: press CTRL+X to close nano editor.

This is the whole process of getting a CSR and a private key generated for your certificate activation. Once you have the certificate, feel free to follow the instructions to get the certificate installed on Apache or Nginx web servers.

Keep it secure!