How to Generate a CSR for a Code Signing Certificate with OpenSSL

Important Update!

Starting from June 1st, 2023, a new security measure is in place for code signing certificates. All code signing certificates must now be stored on hardware meeting specific security standards such as FIPS 140 Level 2, Common Criteria EAL 4+, or their equivalents.

As a result, the process of obtaining and installing certificates has changed. Certificate Authorities no longer support browser-based key generation, creating CSRs, and installing certificates on laptops or servers. Instead, if you opt for token + shipment as your code signing delivery method, the CA will handle CSR generation. Alternatively, if you prefer to use your Hardware Security Module (HSM), check the guides below or follow your HSM provider’s instructions for CSR generation.

The following text contains outdated information, no longer applicable to CSR generation for code signing certificates.

This guide will show you how to generate a Certificate Signing Request for code signing certificates with OpenSSL. Once you follow the process and become familiar with the commands, you’ll be able to create future CSR codes in just a few minutes straight from your device. The only prerequisite is to have OpenSSL installed on your system. Follow the steps below for a quick CSR generation.

1. Download and Install OpenSSL

If you don’t have OpenSSL installed on your computer, download the OpenSSL version compatible with your system, and then install it on your device.

Download OpenSSL

2. Run OpenSSL From Your Device

Open the Run app on your Windows device by pressing the Windows key + R on your keyboard. In the Run dialog box that appears, type cmd and then press Enter. Ensure to run the Command Prompt as an administrator by right-clicking on the Command Prompt icon and selecting “Run as Administrator.” This will launch the Windows Command Prompt interface.

You can also access the Command Prompt by typing cmd into the search bar located on your taskbar and then selecting the Command Prompt app.

Once the Command Prompt window is open, you can change the current directory to the location where you have OpenSSL installed. To accomplish this, use a command similar to one of the following examples and press Enter:

cd \OpenSSL-Win32\bin

cd \Program Files\OpenSSL-Win64\bin

Run OpenSSL

3. Generate the Private Key and the CSR

Generate a unique command for initiating a certificate encryption algorithm and specifying the size of the private key. Use the following command to generate the private key:

OpenSSL genrsa -out code_signing_key.key 3072

Now, generate the CSR file itself:

OpenSSL req -new -key code_signing_key.key -out code_signing_csr.txt

Generate Private Key and CSR

4. Complete the CSR Fields With the Required Information

Enter your contact data as prompted. Please include accurate and up-to-date information. Here’s an example. Ensure to replace the details with your actual information. 

  • Country (CN) – Enter the two-letter country code where your company is registered or where you reside. Ex: US.
  • State or Province (ST) – Enter the state name where your company is registered. Ex: California.
  • Locality (L) – Enter the city name where your company is registered. Ex: San Jose.
  • Organization Name  (O) – Enter the official name of your organization or your full name if you request a Code Singing certificate for an individual. Ex: GPI Holding LLC
  • Organizational Unit (OU) – Specify the department within your company requesting the Code Signing certificate. Ex: IT
  • Common Name (CN) – enter the name of your organization or full name here.
  • Email Address – provide a valid email address

You can live the optional password and organization name fields blank, and simply press Enter.

Enter CSR Information

Note: An alternative way to generate the private key and CSR is to combine Step 3 and Step 4 in one command:

Openssl req -new -newkey rsa:3072 -nodes -out code_signing_csr.txt -keyout code_signing_key.key -subj “/C=US/ST=California/L=San Jose/O=GPI Holding LLC/CN=GPI Holding LLC

Combined Private Key and CSR

5. Move Your Newly Created Private Key and CSR Files to Another Directory

You should relocate the private key and the CSR files away from OpenSSL to a central directory on your device. Keep the private key safe, and don’t share it with unauthorized personnel. Follow the OpenSSL commands below to move your files:

  • Create a new folder directory on your C drive.
    md \c:\codesigningcertificates
  • Move your private key:
    move code_signing_key.key c:\codesigningcertificates
Move Private Key
  • Move your CSR
    move code_signing_csr.txt c:\codesigningcertificate
Move CSR

6. Submit the CSR to Your CA

Now that your CSR is ready, you can open it with any text editor, such as Notepad, and copy its contents, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– tags into the relevant box during the certificate enrollment process on your vendor’s page.

CSR Contents

Final Steps

After the CA verifies and validates your code signing certificate request, it will send the necessary files via email. Depending on your validation level, it may take between one and a few business days to receive the signed certificate.

Save 10% on SSL Certificates when ordering today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Written by

Experienced content writer specializing in SSL Certificates. Transforming intricate cybersecurity topics into clear, engaging content. Contribute to improving digital security through impactful narratives.