How Do I Make a CSR File?

Before applying for a digital certificate, you must generate a private key and a certificate signing request (CSR). The CSR file is the source file for your public key certificate. It contains your server and company details and needs to be submitted to the CA for review.

The System generated CSR option is recommended because manually generated CSRs often include errors. For details about the review failure, see What Can I Do When a Message Indicating Approval Failure Due to Blank Main Domain Name Is Displayed?.

A private key file will be generated when the CSR file is generated manually. Keep your private key stored safely.

The following describes how to generate a CSR file. You can select whichever method you prefer.

Generating a CSR File Using OpenSSL
If you need to enter Chinese characters, use Keytool to generate a CSR file.
Generating a CSR File Using Keytool

SCM has strict requirements on the key type and length of the CSR file. The key must be RSA and it must be 2,048 bits long.

Generating a CSR File Using OpenSSL

Install the OpenSSL tool.
Run the following command to generate a CSR file:
openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout myprivate.key -out mydomain.csr
- -new specifies that a new CSR is generated.
- -nodes specifies that the private key file is not encrypted.
- -sha256 specifies the digest algorithm.
- -newkey rsa:2048 specifies the type and length of the private key.
- -keyout specifies that a private key file is generated. The file name can be customized.
- -out specifies that the name of the CSR file is generated. The name can be customized.

Generate a CSR file named mydomain.csr.

Figure 1 Generating a CSR file
Click to enlarge

The information to be entered is as follows:

Field	Description	Example Value
Country Name	Two-letter code of the country where your company is located. For example, enter CN for China.	CN
State or Province Name	The name of the province or state where your company is located.	ZheJiang
Locality Name	The name of the city where your company is located.	HangZhou
Organization Name	The legal name of your company.	HangZhou xxx Technologies, Inc.
Organizational Unit Name	The department of your company that the applicant belongs to	IT Dept.
Common Name	The website domain name you are applying for a certificate for. NOTE: For a certificate with multiple domain names, enter the primary domain name to be associated with the certificate. For a wildcard-domain certificate, enter the wildcard domain name. Example: *.example.com	www.example.com
Email Address	Email of an applicant. The CSR file password does not need to be entered. Just press Enter.	-
A challenge password	CSR file password. The CSR file password does not need to be entered. Just press Enter.	-

Make sure that UTF8 encoding format is used for a Chinese character–based certificate with OpenSSL. In addition, enable the UTF8 support during OpenSSL compilation.
SCM has strict requirements on the key type and length of the CSR file. The key must be RSA and it must be 2,048 bits long.

After you enter information as prompted, the myprivate.key (private key file) and mydomain.csr (CSR) files are generated in the current directory.

Generating a CSR File Using Keytool

Install Keytool, which is typically included in the Java Development Kit (JDK) tool package.

Use Keytool to generate a Keystore certificate file.

The Keystore file contains a key. For details about how to export the key, see What Are Mainstream Formats of Digital Certificates?

Run the following command to generate the keystore certificate file:
keytool -genkey -alias mycert -keyalg RSA -keysize 2048 -keystore ./mydomain.jks
- -keyalg specifies the key type, which must be RSA.
- -keysize specifies the key length, which must be 2,048.
- -alias specifies the certificate alias, which can be customized.
- -keystore specifies the path for saving the certificate file. The certificate file name can be customized.
Figure 2 Generating the keystore certificate file

Enter the certificate password and enter information described in the following table:

Question	Description	Example Value
What is your first and last name?	Domain name for which you are applying for a certificate. NOTE: For a certificate with multiple domain names, enter the primary domain name to be associated with the certificate. For a wildcard-domain certificate, enter the wildcard domain name. Example: *.example.com	www.example.com
What is the name of your organizational unit?	Name of the department that the applicant belongs to.	IT Dept
What is the name of your organization?	The name of the company to which the applicant belongs.	HangZhou xxx Technologies,Ltd
What is the name of your City or Locality?	The city where an applicant is located.	HangZhou
What is the name of your State or Province?	The state or province where an applicant is located.	ZheJiang
What is the two-letter country code for this unit?	The country where the applicant belongs. Use a two-character ISO country code.	CN

After you enter the information, review the entered content for errors. If there are no errors, press Y.

Enter the key password as prompted. The password can be the same as the certificate password. If they are the same, press Enter.

Use the certificate file to generate a CSR.
1. Run the following command to generate a CSR file:
  keytool -certreq -sigalg SHA256withRSA -alias mycert -keystore ./mydomain.jks -file ./mydomain.csr
  - -sigalg specifies the digest algorithm, which is SHA256withRSA.
  - alias specifies the alias, which must be the same as the certificate alias in the keystore file in -alias.
  - -keystore specifies the certificate file.
  - -file specify the CSR file. The file name can be customized.
2. Enter the certificate password as prompted to generate the mydomain.csr file.