bg-tutorials

How to Generate a CSR on a Nutanix Cluster

This guide shows you how to generate a CSR (Certificate Signing Request) for a Nutanix cluster, the request you send to your Certificate Authority to get a trusted SSL/TLS certificate for Prism Element (single-cluster console) and Prism Central (multi-cluster console). Prism does not include a built-in CSR wizard, so you generate the request and the matching private key off the cluster with OpenSSL, submit the CSR to the CA, then import the issued certificate back into Prism.

Nutanix accepts an RSA 2048 key signed with SHA-256, or an ECDSA 256 (P-256) or ECDSA 384 (P-384) key. Pick one of these key types when you generate the CSR, otherwise the import in Prism will fail. The steps below cover Windows (OpenSSL on Windows) and Linux/macOS, and they apply to current AOS releases (AOS 6.x and AOS 7.x) and Prism Central 2024.x / 2025.x.

Before you start

  • OpenSSL 1.1.1 or newer on the workstation where you will run the commands. macOS and most Linux distributions ship it. On Windows, install a maintained build (for example the Win64 OpenSSL package from Shining Light Productions), then open a fresh terminal so the new openssl command is on your PATH.
  • The exact fully qualified domain name (FQDN) users will type into their browser to reach Prism, for example prism.example.com. If you have more than one name (an FQDN plus a short hostname, or several cluster VIPs behind one certificate), list every name you need so you can add them all as Subject Alternative Names.
  • Your organization details: legal organization name, locality (city), state or province, and the two-letter ISO country code. These are required for OV/EV certificates and are validated by the CA against public records.

Generate the CSR with OpenSSL (one command, with SAN)

This is the fastest way and works on Windows, Linux, and macOS as long as you have OpenSSL 1.1.1 or newer. It produces a 2048-bit RSA key and a CSR with the Common Name set, the SAN extension populated, and SHA-256 as the signing hash.

Step 1: Run the OpenSSL command

Open a terminal (Command Prompt or PowerShell on Windows, Terminal on macOS/Linux), change to the folder where you want the key and CSR saved, and run:

openssl req -new -newkey rsa:2048 -nodes -sha256 \
  -keyout prism.example.com.key \
  -out prism.example.com.csr \
  -subj "/C=US/ST=California/L=San Jose/O=Example Inc/CN=prism.example.com" \
  -addext "subjectAltName=DNS:prism.example.com,DNS:prism"

On Windows Command Prompt, write the command on one line (drop the backslash line continuations). What each flag does:

  • -newkey rsa:2048 generates a fresh 2048-bit RSA key pair. Stick with 2048: Nutanix lists RSA 2048 as the supported RSA size in the Private Key Type drop-down, and customers have reported import failures with RSA 4096 keys on Prism Central. If you need a stronger key, use ECDSA P-256 or P-384 instead (both are supported).
  • -nodes writes the private key without a passphrase. Prism imports an unencrypted PEM key, so this saves you a removal step later.
  • -sha256 signs the CSR with SHA-256. SHA-1 is not accepted by any public CA.
  • -subj sets the Distinguished Name in one line. Replace each value with your own. Use the two-letter ISO country code (US, GB, DE). The Organizational Unit (OU) field is deprecated for public certificates and can be omitted.
  • -addext “subjectAltName=DNS:…” writes the Subject Alternative Name extension into the CSR. List every hostname clients will use, separated by commas, each prefixed with DNS:. Browsers ignore the Common Name and only match against the SAN, so this list is what actually appears on the certificate.

To generate an ECDSA key instead of RSA, replace the -newkey argument:

# ECDSA P-256 (Nutanix "ECDSA 256")
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -sha256 \
  -keyout prism.example.com.key -out prism.example.com.csr \
  -subj "/C=US/ST=California/L=San Jose/O=Example Inc/CN=prism.example.com" \
  -addext "subjectAltName=DNS:prism.example.com,DNS:prism"

# ECDSA P-384 (Nutanix "ECDSA 384") - use -sha384 to match the curve
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -nodes -sha384 \
  -keyout prism.example.com.key -out prism.example.com.csr \
  -subj "/C=US/ST=California/L=San Jose/O=Example Inc/CN=prism.example.com" \
  -addext "subjectAltName=DNS:prism.example.com,DNS:prism"

The -pkeyopt ec_paramgen_curve: form works on every platform and shell — Linux, macOS, and both Command Prompt and PowerShell on Windows — with no separate parameter file. (On older OpenSSL builds that lack this option, generate the curve parameters first with openssl ecparam -name prime256v1 -out ec.param and pass -newkey ec:ec.param instead.)

Step 2: Confirm the two files were created

OpenSSL writes two files in the current folder:

  • prism.example.com.key, the private key. Keep this file secret and back it up safely. Prism imports it during installation, and you cannot recover it from the certificate alone.
  • prism.example.com.csr, the CSR you send to the CA.

Step 3: Inspect the CSR before you submit it

It is worth a quick check that the Common Name, every SAN entry, and the key size came out right. On the same machine:

openssl req -noout -text -in prism.example.com.csr

Look for the Subject: line and a X509v3 Subject Alternative Name: block that lists every hostname you need. If you prefer a browser-based check, paste the CSR contents into SSL Dragon’s CSR Decoder and confirm the same details.

Step 4: Submit the CSR to the Certificate Authority

Open prism.example.com.csr in any text editor. You will see a block that begins and ends like this:

-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
... (many lines of base64) ...
-----END CERTIFICATE REQUEST-----

Select the entire block, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines, copy it, and paste it into the CSR field on your order form. The CA validates the request, issues the certificate, and emails you a bundle that contains your server certificate plus one or more intermediate (and root) CA certificates.

Alternative: use an OpenSSL config file

If you would rather keep the request parameters in a file (handy when you reissue the same certificate or need to add a long list of SANs), put this into a file called nutanix.cnf:

[ req ]
default_bits       = 2048
default_md         = sha256
prompt             = no
encrypt_key        = no
distinguished_name = req_dn
req_extensions     = v3_req

[ req_dn ]
C  = US
ST = California
L  = San Jose
O  = Example Inc
CN = prism.example.com

[ v3_req ]
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
extendedKeyUsage     = serverAuth, clientAuth
subjectAltName       = @alt_names

[ alt_names ]
DNS.1 = prism.example.com
DNS.2 = prism

Replace the values under [ req_dn ] with your own, and add one DNS.n line per hostname under [ alt_names ]. Then generate the key and CSR in one go:

openssl req -new -nodes -newkey rsa:2048 -sha256 \
  -keyout prism.example.com.key \
  -out prism.example.com.csr \
  -config nutanix.cnf

The output is identical to the single-command method above: a 2048-bit RSA key, and a CSR with your subject and every SAN encoded. Inspect it with openssl req -noout -text -in prism.example.com.csr before sending it.

After the CA issues your certificate

The CA returns the issued server certificate and the chain (one or more intermediate certificates and the root CA). Prism imports three files:

  • Private Key: the .key file you generated with OpenSSL, unencrypted PEM.
  • Public Certificate: your issued server certificate in PEM format (often delivered with a .crt or .pem extension).
  • CA Certificate/Chain: a single PEM file with all intermediate certificates plus the root CA, concatenated in order, with the root CA last. Prism gives you only one field for the chain, so combine everything into one file.

For the full installation flow (UI path in Prism Element and Prism Central, Private Key Type selection, and the brief web-service restart after import), follow our how to install an SSL certificate on a Nutanix cluster guide. To check the live certificate after import, scan the Prism URL with the SSL Checker (if Prism is on an internal network, run the check from inside that network or inspect the certificate in your browser).

Prefer a web form? Use our CSR Generator

If you would rather not run OpenSSL, our CSR Generator builds an equivalent CSR and private key from a single form. Choose RSA 2048, ECDSA P-256, or ECDSA P-384 so the output matches what Nutanix accepts, fill in your subject and SAN list, then download the key and CSR. Save the key file the same way you would the OpenSSL output: Prism cannot reissue or recover it.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.