Proudly Hosting over 100,000 Fast Websites since 2010

How to Generate a CSR for an SSL Certificate in Linux

How to Generate a CSR for an SSL Certificate in Linux

Obtaining an SSL certificate is an important step in securing your website. SSL (Secure Sockets Layer) encrypts communication between a browser and web server, protecting sensitive information like login credentials and financial data.

To get an SSL certificate, you first need to generate a Certificate Signing Request (CSR). The CSR contains information about your organization and public key that is submitted to the Certificate Authority (CA) for signing. Once signed, the CA sends you the SSL certificate containing your public key and digital signature proving the certificate’s authenticity.

In this guide, we will show you how to easily generate a CSR on Linux to request an SSL certificate.

Prerequisites

Before generating the CSR, make sure you have the following:

  • Access to your Linux server with root or sudo privileges. This allows you to install any required packages.
  • Ownership of an active domain name. This will be specified in the CSR and SSL certificate.
  • Decide which certificate type you need. Common options include single domain, wildcard, or multiple domain certificates.

The steps below use the OpenSSL toolkit which comes pre-installed on most Linux distributions.

Step 1 – Create the OpenSSL Configuration File

To generate the CSR, we first need to create an OpenSSL configuration file. This contains information like your organization details, SSL certificate domains, and encryption algorithms.

Create a new file named mydomain.cnf and insert the following contents. Update the placeholder values:

[req]

default_bits       = 2048

default_keyfile    = domain.key

distinguished_name = req_distinguished_name

req_extensions     = req_ext

x509_extensions    = v3_ca 

[req_distinguished_name]

countryName                 = Country Name (2 letter code)

countryName_default         = US

stateOrProvinceName         = State or Province Name (full name) 

stateOrProvinceName_default = New York

localityName                = Locality Name (eg, city)

localityName_default        = New York City

organizationName            = Organization Name (eg, company)

organizationName_default    = My Company Inc.

commonName                  = Fully Qualified Domain Name

commonName_default          = mydomain.com

commonName_max              = 64

[req_ext]

subjectAltName = @alt_names

[v3_ca]

subjectAltName = @alt_names

[alt_names]

DNS.1   = mydomain.com

DNS.2   = www.mydomain.com

Key Points:

  • default_keyfile – Sets the name for your generated private key file
  • countryName – Your 2 letter country code
  • stateOrProvinceName – The state/region your organization is located
  • localityName – The city where your organization is located
  • organizationName – Your registered company name
  • commonName – Your primary domain name protected by SSL
  • subjectAltName – Any additional domain names to protect

Adjust the above values as per your requirements. Save the file.

Step 2 – Generate the Private Key

The private key is an important cryptographic component in public key encryption. The key pair consists of your private key that is kept secret, and the public key contained in the CSR and certificate.

Use the following OpenSSL command to generate a new 2048 bit private key saved as domain.key:

openssl genrsa -out domain.key 2048

Add security by protecting the key file permissions:

chmod 400 domain.key

Step 3 – Generate the CSR (Certificate Signing Request)

With the configuration file and private key ready, we can now generate the CSR.

Run the following openssl command, replacing mydomain.cnf with your config file name:

openssl req -new -sha256 -out mydomain.csr -config mydomain.cnf

You will be prompted to enter a passphrase to protect the CSR private key.

The CSR content is then outputted to mydomain.csr

Step 4 – Verify the CSR Details

Before submitting your CSR, let’s confirm it contains the correct information.

View the CSR:

openssl req -text -noout -in mydomain.csr

Check that the organization, domain names, public key, and signature match what you expect.

The CSR is ready to be sent to your SSL certificate provider!

Step 5 – Submit the CSR to your Certificate Authority

The CSR can now be submitted to a trusted Certificate Authority (CA) like Comodo, DigiCert, or GlobalSign who will verify and sign your certificate request.

The process varies between CAs but usually involves:

  • Pasting the contents of your CSR into their CSR generator form
  • Providing your verified organization identity details
  • Accepting their subscriber agreement
  • Paying the certificate fees

Once issued, you will be able to download the signed SSL certificate containing your public key and domains.

Alternatively, if you manage your own private CA, you can sign the CSR yourself. But for public trust, a certificate from an established public CA is recommended.

Step 6 – Install the Signed SSL Certificate

After receiving the signed certificate from the CA, it needs to be installed on your Linux server.

Move the certificate file and your private key to the appropriate SSL folder:

cp domain.crt /etc/ssl/certs/domain.crt 

cp domain.key /etc/ssl/private/domain.key

For Apache on RHEL/CentOS systems the path is:

/etc/pki/tls/certs

/etc/pki/tls/private

The last step is to update your web server configuration to enable HTTPS and use the new certificate and private key.

Refer to your Linux distribution’s documentation for details on configuring Apache or Nginx with the SSL certificate. Common tasks include:

  • Enabling the SSL/TLS module
  • Specifying the certificate and key file paths
  • Adding the SSL listening port (443)
  • Redirecting HTTP to HTTPS

After reloading your web server configuration, your website will now serve the new SSL certificate and be accessible over secure HTTPS connections.

Conclusion

Obtaining and installing an SSL certificate is important for securing sensitive web traffic to your Linux server. By generating a certificate signing request and having it signed by a trusted certificate authority, you can enable HTTPS and TLS encryption.

The process involves first creating a private key, generating the CSR with details of your server and organization, having it signed, and then installing the public certificate. OpenSSL streamlines CSR generation on Linux servers.

Active SSL security helps safeguard your website visitors, ensures compliance with regulations, and provides trust and confidence for return visits to your site. With this guide, you are ready to add HTTPS protection to your Linux web server using a signed SSL certificate deployed through a CSR.

Facebook
Twitter
LinkedIn
Reddit

Leave a Reply

Your email address will not be published. Required fields are marked *