bg-tutorials

How to Generate a CSR in CentOS

This guide shows you how to generate a CSR (Certificate Signing Request) on CentOS using the OpenSSL command line. You run one command, answer a few prompts about your domain and organization, and OpenSSL writes two files: a CSR you send to the Certificate Authority and a private key that stays on your server. The same steps work on CentOS Stream, AlmaLinux, Rocky Linux, and Red Hat Enterprise Linux, because they all ship the same openssl tool.

A note on CentOS versions: CentOS Linux 8 reached end of life on December 31, 2021, and CentOS Linux 7 on June 30, 2024. Those releases no longer receive security updates, so do not run them for new public sites. CentOS Stream is the current line maintained by the CentOS Project, and AlmaLinux and Rocky Linux are drop-in replacements for the old CentOS Linux. The CSR command below is identical on all of them.

Step 1: Log in to your server over SSH

Connect to your CentOS server with SSH. Replace user with your account name and server-ip with your server’s hostname or IP address:

ssh user@server-ip

Generating the key and CSR does not need root, but you do need write access to the directory you run the command in. Confirm OpenSSL is available with:

openssl version

If the command is missing, install it with sudo yum install openssl on CentOS 7, or sudo dnf install openssl on CentOS Stream, AlmaLinux, and Rocky Linux.

Step 2: Create the private key and CSR

Run the following command at the prompt. It creates a 2048-bit RSA private key and a matching CSR in one step:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr -addext "subjectAltName=DNS:yourdomain.com,DNS:www.yourdomain.com"

Replace yourdomain with your actual domain name so the files are easy to identify later. For example, if your domain is example.com, the files become example.key and example.csr. Here is what each part of the command does:

  • req -new creates a new certificate signing request.
  • -newkey rsa:2048 generates a new RSA private key at 2048 bits, the current minimum for public certificates.
  • -nodes leaves the private key unencrypted, so the web server can read it at startup without a passphrase prompt.
  • -keyout yourdomain.key sets the file name for the private key.
  • -out yourdomain.csr sets the file name for the CSR.

OpenSSL uses SHA-256 to sign modern CSRs by default, which is what Certificate Authorities require. If you prefer an elliptic-curve key instead of RSA, swap in a P-256 key:

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout yourdomain.key -out yourdomain.csr -addext "subjectAltName=DNS:yourdomain.com,DNS:www.yourdomain.com"

Keep the private key private. The .key file must never leave your server and must never be sent to the Certificate Authority or anyone else. Only the .csr file is submitted. Anyone who has the private key can impersonate your site, so protect it and back it up to a safe location.

Step 3: Enter your organization details

After you run the command, OpenSSL prompts for the details that go into the CSR. Answer each one as described below:

  • Country Name: the two-letter ISO country code for where your organization is registered. For example, enter US for the United States or GB for the United Kingdom. Use GB, not UK: UK is not a valid ISO code and will make the CSR invalid.
  • State or Province Name: the full name of the state or province, not an abbreviation (for example, California).
  • Locality Name: the full name of the city or town where your organization is located.
  • Organization Name: for a Business Validation or Extended Validation certificate, enter your company’s exact legal name. For a Domain Validation certificate, you can use your full name instead.
  • Organizational Unit Name: the department that manages your certificates, such as IT or Web Administration. This field is optional and you can leave it blank.
  • Common Name: the fully qualified domain name (FQDN) you want to secure, for example www.example.com. For a Wildcard certificate, put an asterisk in front of the domain, for example *.example.com. Do not include https:// or any other characters.
  • Email Address: modern Certificate Authorities ignore this field for validation. You can leave it blank or add a contact address.
  • A challenge password: leave this blank. It is a legacy field that Certificate Authorities do not use, and adding one can cause problems with some order systems.

When you finish the prompts, OpenSSL writes both files to your current directory. List them to confirm they exist:

ls -l yourdomain.key yourdomain.csr

Step 4: Verify the CSR before you submit it

Check the CSR before sending it to the Certificate Authority. This confirms the details are correct and the signature is valid, which avoids a rejected order:

openssl req -noout -text -verify -in yourdomain.csr

Look for verify OK in the output, then check that the Subject line shows the Common Name, organization, and country you entered, and that the key matches what you expected (for example, RSA 2048 bit with a SHA-256 signature). If you prefer a browser, paste the CSR into our online CSR decoder to read the same details.

Step 5: Copy the CSR and order your certificate

Open the CSR to copy its contents:

cat yourdomain.csr

Copy the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines and everything between them. Each marker uses five hyphens on each side. Paste the whole block into the order form when you buy your certificate. If you prefer to prepare the request before ordering, you can also paste it into our CSR Generator.

After the Certificate Authority validates the CSR and issues the certificate, follow our CentOS SSL installation instructions to install it. Once the certificate is live over HTTPS, scan it with our SSL Checker to confirm the certificate and chain are served correctly.

Generate a CSR on other Linux platforms

The OpenSSL command is the same across distributions. If you work on a different system, see our guides for Red Hat Linux, Debian, and Ubuntu.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.