How to Generate a CSR: Step-by-Step for Any Web Server

A CSR is required to get an SSL certificate from a CA. Learn how to generate one with OpenSSL, Nginx, Apache, and IIS, and what fields to fill in.

Before a Certificate Authority can issue you an SSL certificate, you need to send them a Certificate Signing Request (CSR). A CSR contains your public key and identifying information, and it proves you hold the corresponding private key.

Generating a CSR with OpenSSL

This single command generates a new 2048-bit RSA private key and a CSR simultaneously:

openssl req -new -newkey rsa:2048 -nodes \
  -keyout yourdomain.key \
  -out yourdomain.csr

You'll be prompted for the following fields:

  • Country Name — 2-letter ISO code (e.g. US)
  • State or Province — full name, no abbreviation
  • City/Locality
  • Organization Name — your legal entity name (required for OV/EV)
  • Common Name — the primary domain (e.g. example.com). See Common Name.
  • Email Address — optional for TLS certificates

Adding Subject Alternative Names to the CSR

If you need multiple domains on the certificate, include them in the CSR. Create a config file:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]

[v3_req]
subjectAltName = DNS:example.com, DNS:www.example.com, DNS:api.example.com

Then reference it: openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -config openssl.cnf

The CA should honour your requested SANs, though some CAs set SANs themselves based on what you specify in their order form rather than from the CSR. Confirm the final certificate has the right Subject Alternative Names by decoding it with the SSL Certificate Decoder.

EC Key Instead of RSA

For a modern ECDSA certificate (smaller, faster):

openssl ecparam -name prime256v1 -genkey -noout -out ec.key
openssl req -new -key ec.key -out ec.csr

After Getting the Certificate

Once your CA issues the certificate, verify that it matches your private key: openssl x509 -noout -modulus -in cert.pem | openssl md5 and compare with openssl rsa -noout -modulus -in key.pem | openssl md5 — the hashes must match. You can also decode the certificate with the SSL Certificate Decoder to confirm all fields look correct before installing.

Decode any SSL certificate instantly

Paste any PEM certificate into the free decoder — see subject, issuer, SANs, fingerprints, validity dates, and all X.509 extensions explained in plain English.

Open the Decoder
All articles