Updated on 2024-06-18 GMT+08:00

How Do I Make a CSR File?

Before applying for a digital certificate, you must generate a private key and a certificate signing request (CSR). The CSR file is the source file for your public key certificate. It contains your server and company details and needs to be submitted to the CA for review.

Select the System generated CSR option because manually generated certificates often include errors. For details about how to handle the failure in getting approved, see What Can I Do When a Message Indicating Approval Failure Due to Blank Main Domain Name Is Displayed?

A private key file will be generated when the CSR file is generated manually. Keep your private key stored safely.

The following describes how to generate a CSR file. You can select whichever method you prefer.

SCM has strict requirements on the key type and length of the CSR file. The key must be RSA and it must be 2,048 bits long.

Generating a CSR File Using OpenSSL

  1. Install the OpenSSL tool.
  2. Run the following command to generate a CSR file:

    openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout myprivate.key -out mydomain.csr
    • -new specifies that a new CSR is generated.
    • -nodes specifies that the private key file is not encrypted.
    • -sha256 specifies the digest algorithm.
    • -newkey rsa:2048 specifies the type and length of the private key.
    • -keyout specifies that a private key file is generated. The file name can be customized.
    • -out specifies that the name of the CSR file is generated. The name can be customized.

  3. Generate a CSR file named mydomain.csr.

    Figure 1 Generating a CSR file

    The information to be entered is as follows:

    Field

    Description

    Example Value

    Country Name

    Two-letter code of the country where your company is located. For example, enter CN for China.

    CN

    State or Province Name

    The name of the province or state where your company is located.

    ZheJiang

    Locality Name

    The name of the city where your company is located.

    HangZhou

    Organization Name

    The legal name of your company.

    HangZhou xxx Technologies, Inc.

    Organizational Unit Name

    The department of your company that the applicant belongs to

    IT Dept.

    Common Name

    The website domain name you are applying for an SSL certificate for.

    NOTE:
    • For a certificate with multiple domain names, enter the primary domain name to be associated with the certificate.
    • For a wildcard-domain certificate, enter the wildcard domain name. Example: *.example.com

    www.example.com

    Email Address

    Email of an applicant.

    The CSR file password does not need to be entered. Just press Enter.

    -

    A challenge password

    CSR file password.

    The CSR file password does not need to be entered. Just press Enter.

    -

    • Make sure that UTF8 encoding format is used for a Chinese character–based certificate with OpenSSL. In addition, enable the UTF8 support during OpenSSL compilation.
    • SCM has strict requirements on the key type and length of the CSR file. The key must be RSA and it must be 2,048 bits long.

    After you enter information as prompted, the myprivate.key (private key file) and mydomain.csr (CSR) files are generated in the current directory.

Generating a CSR File Using Keytool

  1. Install Keytool, which is typically included in the Java Development Kit (JDK) tool package.
  2. Use Keytool to generate a Keystore certificate file.

    The Keystore file contains a key. For details about how to export the key, see What Are Mainstream Formats of Digital Certificates?

    1. Run the following command to generate the keystore certificate file:
      keytool -genkey -alias mycert -keyalg RSA -keysize 2048 -keystore ./mydomain.jks
      • -keyalg specifies the key type, which must be RSA.
      • -keysize specifies the key length, which must be 2,048.
      • -alias specifies the certificate alias, which can be customized.
      • -keystore specifies the path for saving the certificate file. The certificate file name can be customized.
      Figure 2 Generating the keystore certificate file
    2. Enter the certificate password and enter information described in the following table:

      Question

      Description

      Example Value

      What is your first and last name?

      Domain name for which you are applying for a certificate.

      NOTE:
      • For a certificate with multiple domain names, enter the primary domain name to be associated with the certificate.
      • For a wildcard-domain certificate, enter the wildcard domain name. Example: *.example.com

      www.example.com

      What is the name of your organizational unit?

      Name of the department that the applicant belongs to.

      IT Dept

      What is the name of your organization?

      The name of the company to which the applicant belongs.

      HangZhou xxx Technologies,Ltd

      What is the name of your City or Locality?

      The city where an applicant is located.

      HangZhou

      What is the name of your State or Province?

      The state or province where an applicant is located.

      ZheJiang

      What is the two-letter country code for this unit?

      The country where the applicant belongs. Use a two-character ISO country code.

      CN

      After you enter the information, review the entered content for errors. If there are no errors, press Y.

    3. Enter the key password as prompted. The password can be the same as the certificate password. If they are the same, press Enter.

  3. Use the certificate file to generate a CSR.

    1. Run the following command to generate a CSR file:
      keytool -certreq -sigalg SHA256withRSA -alias mycert -keystore ./mydomain.jks -file ./mydomain.csr
      • -sigalg specifies the digest algorithm, which is SHA256withRSA.
      • alias specifies the alias, which must be the same as the certificate alias in the keystore file in -alias.
      • -keystore specifies the certificate file.
      • -file specify the CSR file. The file name can be customized.
    2. Enter the certificate password as prompted to generate the mydomain.csr file.