This guide shows you how to generate a CSR (Certificate Signing Request) in CWP, the hosting control panel formerly known as CentOS Web Panel and now branded Control Web Panel after CentOS reached end of life in June 2024.
The project kept the CWP abbreviation and now runs on RHEL-compatible distributions such as AlmaLinux, Rocky Linux, RHEL, and CloudLinux. The CSR steps below are the same on all of them.
CWP generates the CSR and its matching private key together, saves the key on the server, and gives you a text block to paste into your Certificate Authority’s order form. The same form covers single-domain, multi-domain (SAN), and wildcard certificates.
Generate a CSR in CWP
If you already generated your CSR with another tool, skip ahead to how to install an SSL certificate on CWP. Otherwise, follow the steps below. The labels match the current CWPpro admin panel; the older menu names are noted where they differ.
Step 1: Open the SSL Cert Manager
- Log in to the CWP admin area as root. The admin panel listens on port 2030 (HTTP) or 2031 (HTTPS) by default.
- In the left menu, click WebServer Settings (labeled Apache Settings in older CWP releases).
- From the expanded menu, select SSL Cert Manager (also shown as SSL Certificates on some builds).
- Switch to the Generate CSR tab.
Step 2: Fill in the CSR form
Complete every field. CWP feeds these values straight into OpenSSL, so spelling and formatting matter. For a Domain Validation (DV) certificate the organization fields are not verified by the CA, but they still appear in the issued certificate when included, so fill them out accurately.
- Common Name (Domain): the Fully Qualified Domain Name (FQDN) you want to secure, for example www.example.com. For a wildcard certificate, put an asterisk in front of the apex domain (for example *.example.com) to cover every first-level subdomain.
- Country Name (Code): the two-letter ISO 3166-1 code for the country where the organization is registered (for example US, GB, DE).
- State or Province Name: the full name of the state, province, or region. Do not abbreviate.
- City Name: the full name of the city where the organization is registered. Do not abbreviate.
- Organization Name: the legal name of the company that owns the domain. For a DV certificate ordered by an individual, enter your full name or NA. Do not enter the domain name here.
- Organization Unit Name: the CA/Browser Forum has deprecated this field, so most public CAs strip it from the issued certificate. Leave it blank or enter NA.
- Email Address: leave blank. Modern public CAs no longer use this field for validation, and it will not appear in the Subject of the issued certificate.
- Valid Days: the default value here only affects a self-signed test certificate CWP can build alongside the CSR. It has no effect on a certificate issued by a public CA, so the default is fine.
- Key Size: choose 2048 bit. RSA-2048 is the safest default in 2026; it is supported by every CA and every client, and it is the CA/Browser Forum baseline. Larger sizes (RSA-4096) are allowed but double the handshake cost without a meaningful security gain for public TLS.
Step 3: Generate and copy the CSR
Click Generate. CWP creates two files on the server:
- The CSR, stored as .csr in /etc/pki/tls/certs/.
- The matching private key, stored in /etc/pki/tls/private/. It also appears in the Private Key tab of the SSL Cert Manager. Do not delete it: you will need it when you install the issued certificate.
Open the CSR file with any text editor. The contents look like this:
-----BEGIN CERTIFICATE REQUEST-----
MIIC2zCCAcMCAQAwgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
...base64 content of your CSR...
EE9aJDxhWjEFqYdxPpJv3yhT/4M3xZJP0YuVqYU3MA==
-----END CERTIFICATE REQUEST-----
Select the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines (five hyphens on each side of the label), and copy it. Paste the block into the CSR field when you order or reissue your certificate with the Certificate Authority. Before submitting, sanity-check the CSR with our CSR Decoder to confirm the common name, SAN list, key size, and signature algorithm are what you expect.
If you would rather skip the CWP form entirely, you can create the CSR off-server with our CSR Generator. Just remember that the matching private key is then created off-server too, so you will need to upload both the issued certificate and the key during installation, instead of letting CWP pair the certificate with its on-server key.
Alternative: generate the CSR on the server with OpenSSL
CWP is a web layer over Apache or Nginx running on a standard RHEL-family Linux server, so you can also generate the CSR from the shell with OpenSSL. This is useful if you script certificate renewals or prefer the command line. Connect over SSH as root and run:
openssl req -new -newkey rsa:2048 -nodes \
-keyout /etc/pki/tls/private/example.com.key \
-out /etc/pki/tls/certs/example.com.csr
OpenSSL then prompts you for the same fields as the CWP form (Common Name, Country, State, Locality, Organization, Organizational Unit, Email). Use the same answers described in Step 2. The command writes the CSR to /etc/pki/tls/certs/example.com.csr and the private key to /etc/pki/tls/private/example.com.key, which match the locations CWP uses, so the SSL Cert Manager will pick the files up when you install the certificate later.
Lock down the key so only root can read it:
chmod 600 /etc/pki/tls/private/example.com.key
When you do not need a CSR: AutoSSL (Let’s Encrypt)
If you only need a basic Domain Validated certificate, CWP can issue and renew one for free with the built-in Let’s Encrypt integration, and the panel handles the CSR for you in the background. In the admin area, open WebServer Settings > SSL Cert Manager and switch to the AutoSSL (or Let’s Encrypt) tab, select the user and the domain you want to cover, then click Install SSL. End users with their own CWP account can do the same from Domains > AutoSSL in the user panel.
Let’s Encrypt certificates are valid for 90 days and CWP renews them automatically about 30 days before expiry. The issued files live under /etc/letsencrypt/live/<domain>/. Generate a CSR yourself only when you ordered a paid certificate (Organization Validation, Extended Validation, wildcard with extra warranty, multi-domain) or when your CA requires a CSR for reissue.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


