Before applying for a digital certificate, you must first generate the private key of the certificate and a certificate signing request (CSR) file.   The CSR file is the source file of your public key certificate, and contains information about your server and your organization that needs to be submitted to the CA for review.

Note
We recommend that you use the built-in CSR generated by system function in Alibaba Cloud Certificates Service to avoid any manual errors. For more information, see Why is the error "Primary domain name cannot be empty" returned when uploading my CSR file.

The private key is generated simultaneously along with the CSR that is created manually. You must maintain the privacy and security of the private key at all costs.

You must provide the following information to create CSR manually:
Note
UTF8 format is required for the input of Chinese-character information.
  • Organization Name (O): legal name of the requester. It may consist of Chinese characters or English letters.
  • Organization Unit (OU): the unit the requester belongs to. It may consist of Chinese characters or English letters.
  • Country Code (C): county-wise location of the requester. Country code is mainly of two letters. For example, the country code for China is "CN".
  • State or Province (S): province or state-wise location of the requester. It may consist of Chinese characters or English letters.
  • Locality (L): city-wise location of the requester. It may consist of Chinese characters or English letters.
  • Common Name (CN): specific domains to be applied for the SSL certificate.
Note
The certificate service system requires that the cryptographic key of the CSR be 2,048 bits long and in an RSA form. If multiple domains or wildcard subdomains are to be added to the requested certificate, enter only one domain in the Common Name or What is your first and last name? field.    Furthermore, you can enter "*.example.com" for wildcard subdomains.

Use OpenSSL tool to generate a CSR file

  1. Install OpenSSL tool.
  2. Run the openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout myprivate.key -out mydomain.csr command to generate the CSR. Where,
    • -new specifies that a new CSR file is generated.
    • -nodes specifies that the private key is not encrypted.
    • -sha256 specifies the digest algorithm.
    • -keyout generates the private key.
    • -newkey rsa:2048 specifies the type and length of the private key.
  3. Generate a CSR file named mydomain.csr.

    The information to enter is described as follows:
    Field Description Example
    Country Name ISO country code (two letters) CN
    State or Province Name The state or province in which you are located ZheJiang
    Locality Name Location HangZhou
    Organization Name Company Name HangZhou xxx Technologies, Inc.
    Organizational Unit Name Name of your organizational unit IT Department
    Common Name Domains to be added to the certificate www.example.com
    Email Address Not required -
    A challenge password Not required -
    After you have followed the command prompts and entered all the information, the myprivate.key (private key) and mydomain.csr (CSR) are generated in the current directory.
Note
Make sure to use the UTF8 encoding format when you generate a Chinese character based certificate with OpenSSL. Additionally, you must enable the UTF8 support during OpenSSL compilation.

If you have to input Chinese characters into the information fields, we recommend that you use Keytool to generate the CSR file.

Use Keytool to generate a CSR file

  1. Install Keytool (it is usually included in Java Development Kit (JDK)).
  2. Use Keytool to generate the .keystore certificate.
    Note
    The .keystore certificate contains the private key. For more information about how to export the key, see What formats are used for mainstream digital certificates.
    1. Run the keytool -genkey -alias mycert -keyalg RSA -keysize 2048 -keystore ./mydomain.jks command to generate the .keystore certificate. Where,
      • -keyalg specifies the key type, which must be RSA.
      • -keysize specifies the key length, which is 2,048.
      • -alias specifies the certificate alias, which can be customized.
      • -keystore specifies the path where the certificate file is saved.


    2. Enter the certificate password, and then enter the information as described in the following table.
      Risks Description Example
      What is your first and last name? Domains to be added to the certificate www.example.com
      What is the name of your organizational unit? Name of your organizational unit IT Department
      What is the name of your organization? Company Name HangZhou xxx Technologies, Ltd.
      What is the name of your city or Locality? Location HangZhou
      What is the name of your state or Province? The state or province in which you are located ZheJiang
      What is the two-letter country code for this unit? ISO country code (two letters) CN
      After the input is complete, check and verify the entered information. It must be accurate and authentic. Enter Y to confirm.
    3. Enter the key password as prompted. You can enter the certificate password here, and then press Enter.
  3. Generate the CSR file with the certificate file.
    1. Run the keytool -certreq -sigalg SHA256withRSA -alias mycert  -keystore ./mydomain.jks -file ./mydomain.csr command to generate the CSR Where,
      • sigalg specifies the digest algorithm, which is SHA256withRSA.
      • alias specifies an alias, which must be exactly the same as the certificate alias in the .keystore file.
      • keystore specifies the certificate file.
      • file specifies the CRS file.
    2. Enter the certificate password as prompted to generate the mydomain.csr file.