Knowledge Base

How to generate a private key and CSR from the command line

This article describes how to generate a private key and CSR (Certificate Signing Request) from the command line. You may need to do this if you want to obtain an SSL certificate for a system that does not include cPanel access, such as a dedicated server or unmanaged VPS.

If your account includes cPanel or Plesk access, you do not have to follow the procedure below. Instead, you can use the SSL/TLS Manager in cPanel or the SSL/TLS Certificates tool in Plesk to generate a private key and CSR. For cPanel instructions, please see this article. For Plesk instructions, please see this article.

Generating a private key and CSR

To generate a private key and CSR from the command line, follow these steps:

  1. Log in to your account using SSH.
  2. At the command prompt, type the following command:
    openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
    This command creates a private key file named server.key and a CSR named server.csr. You can change these filenames to anything you want.
  3. At the Country Name prompt, type the two-letter country code for your location, and then press Enter.

    Make sure you use the correct two-letter country code (for example, US or FR). For a complete list of these codes, please visit http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm.
  4. At the State or Province Name prompt, type the appropriate response for your location, and then press Enter.
  5. At the Locality Name prompt, type the town or city name for your location, and then press Enter.
  6. At the Organization Name prompt, type your company or organization name, and then press Enter.
  7. At the Organizational Unit Name prompt, type the appropriate response for your organization, and then press Enter. Alternatively, to leave this field blank, just press Enter.
  8. At the Common Name prompt, type the domain name that you want to secure with the SSL certificate, and then press Enter.

    The common name is often simply your domain name, such as example.com. Or, if you are going to install an SSL certificate for a subdomain, subdomain.example.com. However, if you are going to install a wildcard certificate, make sure that you use *.example.com, where example.com represents your domain name.
  9. At the Email Address prompt, type the e-mail address that you want to associate with the certificate, and then press Enter.
  10. At the Challenge password prompt, press Enter.
  11. At the Optional company name prompt, press Enter.
  12. OpenSSL generates the private key and CSR files. If you typed the command in step 2 exactly as shown, the files are named server.key and server.csr. You can now send the text in the server.csr file to the signing authority to obtain your certificate. (Do not send the information in your private key!)

    You can view and verify the information contained in the CSR. To do this, type the following command:

    openssl req -noout -text -in server.csr