Skip to content

Create PKI key and CSR request

Christopher Hopkins edited this page Dec 20, 2013 · 19 revisions

You will generally want to protect information users provide and get from your websites. In order to do this, you will need to generate a PKI private key and Certificate Signing Request (CSR). The PKI private key will be kept on the webserver, and the CSR will be sent to a Certificate Authority (CA) to be signed. The following command will enable you to create both.

 $ openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Openssl will prompt you for additional information, and after you have supplied the answers, then it will generate the key and CSR.

Create encrypted PKI key and CSR request

In case you are particularly security conscious, you can generate the private key so that it is encrypted. Here is the same command as above, but without the '-nodes' option.

 $ openssl req -new -newkey rsa:2048 -keyout yourdomain.key -out yourdomain.csr

Step-by-step key and CSR generation

First step, Generating the private key (omit the '-des3' if you don't want the private key encrypted)

 $ openssl genrsa -des3 -out yourdomain.key 2048

Second step, Generating the CSR

 $ openssl openssl req -new -key yourdomain.key -out yourdomain.csr

Sign your own (or others) keys

Use the example command below (changing the names as needed)

 $ openssl x509 -req -days 365 -in yourdomain.csr -signkey yourdomain.key -out yourdomain.crt

Clone this wiki locally