bg-tutorials

How to Generate a CSR in DirectAdmin

This guide shows you how to generate a CSR (Certificate Signing Request) in DirectAdmin. The CSR is the encoded text block that you submit to your Certificate Authority. It carries your domain and identity details, and DirectAdmin pairs it with a private key it stores on the server. You will create the CSR from the User level of the control panel and end up with two pieces: the CSR text you copy into your order, and a matching private key that DirectAdmin keeps on disk for the install step.

The steps below cover the current DirectAdmin Evolution skin (the default in new installations) and note the equivalent path on the older Enhanced skin. They also cover the SAN limitation of the in-panel form and the free Let’s Encrypt alternative that ships in the same screen.

Generate the CSR in DirectAdmin

If you already generated your CSR (for example with our CSR Generator), skip ahead to how to install an SSL certificate on DirectAdmin. Otherwise follow the seven steps below.

Step 1: Log in at the User level

SSL certificates in DirectAdmin are managed per domain at the User level. If you sign in as Admin or Reseller, switch to the right user with the level selector in the top menu first. If the account holds more than one domain, pick the domain you want to secure before you open the SSL screen.

Step 2: Open the SSL Certificates page

  • Evolution skin (current default): in the left menu, open Account Manager and click SSL Certificates.
  • Enhanced (legacy) skin: open Advanced Features and click SSL Certificates.

Step 3: Choose Create a Certificate Request

The SSL Certificates page shows a list of radio options. Select Create A Certificate Request. This is the in-panel CSR form and the option name is the same on every skin.

Step 4: Fill in the CSR fields

Enter the details below. Use plain ASCII characters: non-Latin letters break the request at most CAs.

  • Key Size: select 2048 bits. That is the current minimum every public CA accepts. Pick 3072 or 4096 only if your security policy requires it. The trade-off is a slightly slower TLS handshake.
  • Common Name (CN): the fully qualified domain name you want to secure, for example www.example.com. For a wildcard certificate, prefix the apex with an asterisk, for example *.example.com. A wildcard covers one level of subdomains (shop.example.com, mail.example.com), not the apex or deeper labels like a.b.example.com.
  • Email: a contact address at the domain or your administrative inbox. Most CAs ignore this field but DirectAdmin requires a value.
  • Country: the two-letter ISO country code (for example US, GB, DE).
  • State: the full state or province name (for example California, not CA).
  • City: the full city name (for example Los Angeles, not LA).
  • Company: the full legal organization name, exactly as registered (for example Example Inc). Required for Organization Validation (OV) and Extended Validation (EV) certificates. For Domain Validation (DV), the CA ignores it, so any short placeholder works.
  • Division (Organizational Unit): a department label such as IT. This attribute has been deprecated by the CA/Browser Forum for public certificates, so leave it minimal or blank.
  • Subject Alternative Names (SAN): if the form on your build exposes a SAN field, add every additional hostname here, one per line (for example example.com as well as www.example.com). If the field is not present, see SAN limitation below.

Step 5: Save and copy the CSR

Double-check every field, then click Save. DirectAdmin generates the private key and the matching CSR and shows the CSR in a text area on the same page (recent Evolution builds open it in a Certificate Request dialog with a Copy to Clipboard button).

The CSR is a base64 block that looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
... (many lines of base64) ...
-----END CERTIFICATE REQUEST-----

Select the whole block, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines, and paste it into the CSR field on your CA order form. The leading and trailing dash lines must use exactly five ASCII hyphens on each side.

Step 6: Check where DirectAdmin stored the private key

You do not have to extract the private key manually: DirectAdmin saves it on disk and pre-fills it on the SSL installation form for the same domain. If you want a copy for backup or off-server use, you can download it from the same page (the form keeps it in the lower text box) or read it from disk over SSH:

/usr/local/directadmin/data/users/<user>/domains/<domain>.key

where <user> is the DirectAdmin username and <domain> is the domain (for example example.com.key). The matching files are <domain>.cert (the issued certificate, written during install) and <domain>.cacert (the chain referenced by Apache’s SSLCACertificateFile; some DirectAdmin builds also expose the same content as <domain>.ca). Treat the key file as a secret: keep its permissions tight and never paste it into the CSR field, into a ticket, or anywhere public. If you do save a copy off-server, store it as a secure note in a password manager or in a secrets vault, not as a loose file on a workstation.

Step 7: Verify the CSR before you submit it

It is worth checking that the Common Name, SAN entries, and key size are what you expect before you spend a validation cycle. Paste the CSR into SSL Dragon’s CSR Decoder and confirm that the CN matches the hostname your visitors use, that any additional names appear under Subject Alternative Name, and that the key size is at least 2048 bits.

Once the CA validates your order and emails the certificate files, continue with how to install an SSL certificate on DirectAdmin.

SAN limitation of the in-panel form

Modern browsers and TLS libraries (Chromium, Firefox, Safari, Java, Go, .NET) check the hostname against the Subject Alternative Name extension, not the Common Name. Public CAs work around this by copying the CN into a SAN entry automatically for single-name orders, so a CN-only request still issues for one hostname. But:

  • If you need a certificate that covers example.com and www.example.com together, or any multi-domain certificate, the CN-only form cannot encode them.
  • Some DirectAdmin builds expose a dedicated Subject Alternative Names field on the form. If yours does, use it.

If the panel form does not let you add SANs and your order needs more than one hostname, generate the CSR off-server with our CSR Generator, save the private key it produces, and paste both into the installation page in DirectAdmin when the certificate arrives. The DirectAdmin install tutorial walks through that path.

Alternatively, you can build the CSR over SSH with OpenSSL and a small config file that lists every SAN:

openssl req -new -newkey rsa:2048 -nodes \
  -keyout example.com.key \
  -out example.com.csr \
  -subj "/C=US/ST=California/L=Los Angeles/O=Example Inc/CN=www.example.com" \
  -addext "subjectAltName = DNS:www.example.com, DNS:example.com"

Then paste the .key and the issued certificate into the DirectAdmin Paste a pre-generated certificate and key option on the same SSL Certificates page.

Free option: Let’s Encrypt and ACME in DirectAdmin

If you do not need a commercial certificate, DirectAdmin can issue a free one without a CSR at all. On the same SSL Certificates page, select Free & automatic certificate from Let’s Encrypt (on newer Evolution builds the option is labeled Get automatic certificate from ACME Provider and offers both Let’s Encrypt and ZeroSSL as providers). Pick the domain and any subdomains you want covered, tick Wildcard if you need every subdomain, and click Save.

Let’s Encrypt and ZeroSSL certificates are valid for about 90 days and DirectAdmin renews them automatically around day 85, so there is no CSR to copy and no certificate to reinstall. They use the same encryption a paid certificate does. A commercial certificate still makes sense when you need Organization or Extended Validation, a longer fixed term, a warranty, or vendor support tied to your domain identity.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.