All Products
Search
Document Center

:How do I create a CSR file?

Last Updated:Jun 07, 2021

Overview

This article describes how to create a Certificate Signing Request (CSR) file.

Solutions

Before you can apply for an SSL certificate, you must prepare a key file and a CSR file for the SSL certificate. The CSR file is the source file of your public key and contains information about your server and your organization. You must submit the CSR file to the certificate authority (CA) for validation. We recommend that you use a system-generated CSR file to avoid a validation failure due to manually entered invalid information. For more information about how to address the validation failure, see The "Primary domain name cannot be empty" error is returned when I upload my CSR file. What do I do? If you use a manually generated CSR file, keep it confidential and back up your key file. When you manually generate a CSR file, take note of the following points:

  • The input Chinese information must be UTF-8-encoded. If you use OpenSSL to edit the information, configure support for UTF-8 encoding.
  • In SSL Certificates Service, the key of a CSR file must be 2,048 bits in length, and the key must be of the RSA type. If you apply for a multi-domain or wildcard-domain certificate, you need only to specify one domain name in the Common Name or What is your first and last name? field.

The following sections describe how to use different tools to generate CSR files.

Note: If you want to enter Chinese information, we recommend that you use Keytool.

Use OpenSSL to generate a CSR file

  1. Log on to your server.
  2. Install OpenSSL. For more information, visit OpenSSL.
  3. Run the following command to generate a CSR file:
    openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout [$Key_File] -out [$OpenSSL_CSR]
    Note:
    • -new: generates a CSR file.
    • -nodes: the key file that is not encrypted.
    • -sha256: the digest algorithm.
    • -newkey rsa:2048: the type and length of the key.
    • [$Key_File]: the name of the key file.
    • [$OpenSSL_CSR]: the path to store the encrypted file.

    The following output is returned.

  4. Enter the required information based on the output to generate the CSR file. The following list describes the fields that you must specify:
    • Organization Name: the name of the company, which can be in Chinese or English.
    • Organization Unit Name: the name of the department, which can be in Chinese or English.
    • Country Code: the code of the country for the applicant company, which is a two-letter code. For example, use CN to represent China.
    • State or Province: the name of the state or province, which can be in Chinese or English.
    • Locality: the name of the city, which can be in Chinese or English.
    • Common Name: the domain name of the website for which you want to apply for the certificate.
    • Email Address: This field is optional.
    • A challenge password: This field is optional.
  5. Obtain the key file and CSR file in the current directory.

Use Keytool to generate a CSR file

  1. Log on to your server.
  2. Install Keytool.
    Note: In most cases, Keytool is included in the Java Development Kit (JDK).
  3. Run the following command to generate a keystore certificate file:
    keytool -genkey -alias [$Alias] -keyalg RSA -keysize 2048 -keystore [$Keytool_Path]
    Note:
    • -keyalg: the type of the key.
    • -keysize: the length of the key. The value is 2048.
    • [$Alias]: the alias of the certificate, which can be customized.
    • [$Keytool_Path]: the path to store the certificate file.

  4. Enter the password that is used to protect the certificate based on the output returned by the system.
  5. Enter the required information based on the output to generate the CSR file. The following list describes the fields that you must specify:
    • first and last name: the domain name for which you want to apply for the certificate.
    • name of your organizational unit: the name of the department.
    • name of your organization: the name of the company.
    • name of your City or Locality: the name of the city.
    • name of your State or Province: the name of the state or province.
    • two-letter country code for this unit: the two-letter International Organization for Standardization (ISO) code of the country.
  6. Confirm the input and enter Y.
  7. Enter the key password as instructed.
  8. Run the following command to generate a CSR file:
    keytool -certreq -sigalg SHA256withRSA -alias [$Alias] -keystore [$Keytool_Path] -file [$Keytool_CSR]
    Note:
    • sigalg: the digest algorithm
    • [$Keytool_CSR]: the path to store the CSR file

  9. Enter the certificate password as instructed to check whether the CSR file is generated.

Application scope

  • SSL Certificates Service