bg-tutorials

How to Generate the CSR on ISPConfig

This guide shows you how to generate a CSR in ISPConfig, the open-source Linux hosting control panel. ISPConfig manages SSL per website: you open the site in the panel, enable SSL on the Domain tab so the SSL tab appears, fill in the organization fields, and set SSL Action to Create Certificate. ISPConfig creates the CSR and its matching private key together, saves both with the site, and shows the CSR text you paste into your Certificate Authority’s order form.

If you don’t need the warranty or organization validation of a paid certificate, ISPConfig 3.2 and newer can also issue a free Let’s Encrypt certificate with one checkbox, with no CSR required. See the Let’s Encrypt alternative section below.

Generate the CSR in ISPConfig

If you already have a CSR (for example, you generated it with our CSR generator or another tool), skip ahead to how to install an SSL certificate on ISPConfig. The steps below cover ISPConfig 3.2.x, the current stable line at the time of writing.

Step 1: Sign in to ISPConfig

Open your ISPConfig panel in a browser. The default URL is the server hostname or IP on port 8080, for example:

https://your-server.example.com:8080/

Sign in with your admin or reseller account.

Step 2: Open the website you want to secure

  • In the top navigation, click Sites.
  • In the left sidebar, open the Websites section and click Websites.
  • Click the domain name you want the certificate for.

Step 3: Enable SSL on the website

On the website’s Domain tab, tick the SSL checkbox and click Save. ISPConfig only shows the SSL tab once this option is enabled, so if you don’t see the tab in step 4, this is what’s missing.

Leave the Let’s Encrypt SSL checkbox unticked for now. That option is for the free, automatic alternative covered later in this guide. If you tick it, ISPConfig will try to issue a Let’s Encrypt certificate instead of creating a CSR for a paid CA.

Step 4: Open the SSL tab and fill in the CSR fields

Click the SSL tab on the same website. Fill in each field with the legal details of the organization that owns the domain. Certificate Authorities use these values for validation, so they must match official records (Articles of Incorporation, government registration, and so on):

  • State: the full state or province name where your organization is legally registered (for example, California, not CA).
  • Locality: the city or town where your organization is legally registered, spelled out in full.
  • Organization: the exact legal name of your company, for example Example LLC. For a Domain Validation (DV) certificate, you can enter the domain name or a personal name; for OV or EV, this must match official registration records exactly.
  • Organization Unit: leave this field blank. The OU field has been deprecated by the CA/Browser Forum and many CAs strip it during issuance.
  • Country: pick the two-letter country code of your organization’s legal address from the drop-down (for example, US, GB, DE).
  • Common Name (FQDN): the Fully Qualified Domain Name you want the certificate to protect. ISPConfig pre-selects the website’s main domain. For a wildcard certificate, pick the entry that starts with an asterisk, for example *.example.com. The wildcard form covers all first-level subdomains (such as shop.example.com and mail.example.com), but not the bare domain unless your CA explicitly includes it.

Double-check the values before you save. The CSR encodes them verbatim, and a single typo in the Organization or Common Name field means the CA will reject the order and you’ll have to start over.

Step 5: Set SSL Action to Create Certificate and save

  • Scroll down to the SSL Action drop-down at the bottom of the SSL tab.
  • Select Create Certificate.
  • Click Save.

ISPConfig now generates the private key and the CSR in the background. Processing usually takes a few seconds. Reload the page or reopen the website’s SSL tab once it returns.

Step 6: Copy the CSR from the SSL Request field

After saving, return to the SSL tab. The SSL Request text area now contains your CSR and the SSL Key field below it contains the matching private key. Select the entire SSL Request block, including the header and footer lines, and copy it. The CSR looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIC2TCCAcECAQAwgZMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
... (many lines of base64-encoded data) ...
wIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAA==
-----END CERTIFICATE REQUEST-----

Paste the entire block (header and footer included) into the CSR field on the Certificate Authority’s order form when you check out. Leave the website open in ISPConfig; you’ll come back to this same SSL tab to install the issued certificate.

Protect the private key

The private key is half of your certificate. Without it the issued certificate cannot serve HTTPS, and anyone who copies it can impersonate your site for as long as the certificate is valid. A few rules:

  • Never send the private key to the Certificate Authority. You only submit the CSR. The CA never needs the key, and any CA that asks for it is doing something wrong.
  • Don’t edit or replace the SSL Key field until your certificate is issued. The certificate the CA returns only works with the exact key that was generated alongside the CSR. If you overwrite it, the certificate will be unusable and you’ll have to reissue.
  • Back the key up. If you have SSH access, ISPConfig stores the private key on disk at /var/www/yourdomain.com/ssl/yourdomain.com.key and the CSR at /var/www/yourdomain.com/ssl/yourdomain.com.csr. Keep both in a private location with restricted permissions and don’t commit them to a code repository.

Once the CA issues the certificate, return to the SSL tab and paste the certificate and CA bundle into the matching fields with SSL Action set to Save Certificate. Step-by-step instructions are in our guide on how to install an SSL certificate on ISPConfig.

Verify the CSR before you submit

Before you paste the CSR into the order form, decode it and confirm every field is what you expect. A CSR with a typo in the Common Name or Organization will be rejected by the CA after you’ve already paid for the order. Two ways to check it:

  • Paste the CSR into our free CSR Decoder. It returns the Common Name, Organization, Country, key type, and key size in a readable format.
  • If you have SSH access to the server, run OpenSSL directly against the file:
openssl req -in /var/www/yourdomain.com/ssl/yourdomain.com.csr -noout -text

Check the Subject line for your CN, O, ST, L, and C values, and the Public-Key line for the key size (RSA 2048 or higher is the modern minimum).

Let’s Encrypt alternative (no CSR required)

ISPConfig 3.2 and newer have Let’s Encrypt built in. If you only need Domain Validation and don’t care about a warranty, this is the simplest path: there’s no CSR to generate, no certificate files to paste, and no manual renewal. To enable it:

  • Open Sites > Websites and click the domain.
  • On the Domain tab, tick both the SSL checkbox and the Let’s Encrypt SSL checkbox.
  • Click Save.

Before you enable it, make sure the domain (and any aliases or subdomains you ticked under the website) already resolves to this server in DNS and that port 80 is reachable from the public internet. Let’s Encrypt validates the domain over HTTP before issuing the certificate, so issuance fails if the name doesn’t yet resolve to the server or if a firewall blocks port 80. Let’s Encrypt certificates are valid for 90 days, and ISPConfig renews them automatically before they expire.

Use a paid certificate from a commercial CA when you need Organization or Extended Validation, a wildcard from a commercial CA, a longer-lived deployment, or a warranty backing the issuance. Otherwise, Let’s Encrypt is a good default.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.