This guide shows you how to generate a CSR (Certificate Signing Request) on Proxmox VE. Because Proxmox Virtual Environment is built on Debian, you create the CSR from the command line over SSH using the OpenSSL utility, which ships pre-installed on every node. The process is the same on Proxmox VE 8.x and the newer 9.x series.
A CSR is the encoded request you send to a Certificate Authority (CA) when you order an SSL/TLS certificate. Generating one also creates a matching private key. The key stays on the Proxmox node and is never sent to the CA, so keep it safe: a certificate only works with the exact key it was paired with.
Manual CSR vs. the built-in ACME client
Proxmox VE includes a built-in ACME client (accounts under Datacenter > ACME, with domains added per node under Node > Certificates) that can request and auto-renew free certificates from Let’s Encrypt. If you only need to secure the Proxmox web interface and a publicly reachable host name, that automated route is the simpler choice and it renews on its own.
You still generate a CSR by hand when you are buying a certificate from a commercial CA, when you need a type ACME does not issue (for example, an Organization Validation, Extended Validation, or wildcard certificate), or when an internal policy requires you to control the key and the request yourself. The rest of this tutorial covers that manual flow.
Step 1: Create the CSR and private key
Connect to your Proxmox node over SSH (or open the Shell console in the Proxmox web interface). OpenSSL is already installed. If for some reason it is missing, install it first:
sudo apt-get update && sudo apt-get install openssl
At the prompt, run the following command to generate the CSR and its private key in one step:
openssl req -new -newkey rsa:2048 -nodes -keyout mywebsite.key -out mywebsite.csr -addext "subjectAltName=DNS:mywebsite.com,DNS:www.mywebsite.com"
Replace mywebsite with a name that identifies your domain so the files are easy to recognize later. Here is what each part of the command does:
- req -new creates a new certificate request.
- -newkey rsa:2048 generates a new 2048-bit RSA private key. RSA 2048 is the current minimum for public certificates; you can use rsa:4096 for a larger key, or switch to a modern elliptic-curve key (see the FAQ below).
- -nodes leaves the private key unencrypted so the Proxmox service can read it at startup without prompting for a passphrase.
- -keyout mywebsite.key writes the private key. Keep this file on the node and never share it.
- -out mywebsite.csr writes the CSR you will submit to the CA.
Modern OpenSSL signs the request with SHA-256 by default, which is what every public CA requires. There is no need to add an older digest flag.
Step 2: Provide the required information about your domain and company
OpenSSL then prompts you for the details that make up the certificate’s Distinguished Name. Answer each one:
- Country Name: the official two-letter code of your country, for example US.
- State or Province: the full name of the state or province where your company is registered, for example Alabama.
- City or Locality: the full name of the city where your company is located, for example Mobile.
- Organization Name: the full legal name of your company, for example Your Company LLC. For a Domain Validation (DV) certificate, you can leave this blank.
- Organizational Unit Name: leave this blank. It is deprecated for public SSL/TLS certificates and CAs strip it out.
- Common Name: the fully qualified domain name (FQDN) you want to secure, for example proxmox.yoursite.com. For a Wildcard certificate, put an asterisk in front of the domain, for example *.yoursite.com.
- Email Address: a valid email address (optional for most CAs).
- A challenge password: leave this blank. It is a legacy field that public CAs ignore.
- An optional company name: leave this blank.
OpenSSL now writes the CSR and the private key to the directory you ran the command from. List the files to confirm they were created:
ls
You should see mywebsite.key and mywebsite.csr (or whatever name you chose).
Step 3: Verify the CSR before you submit it
Before sending the request to a CA, check that the details are correct and the signature is valid. A typo in the Common Name means a reissue, so this 10-second check is worth it:
openssl req -noout -text -verify -in mywebsite.csr
Confirm that the Subject line shows the right Common Name and organization details, that the public key is the size you expect, and that OpenSSL reports the self-signature as verified. If you would rather review the request in a browser, paste it into our CSR decoder, which shows the same decoded fields online.
Step 4: Submit the CSR to your Certificate Authority
Open the CSR file in any text editor:
cat mywebsite.csr
During the SSL order process, copy the entire contents of the file, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines, and paste it into the CSR box on your SSL vendor’s website. Leave out either marker line, or any of the five hyphens on each side, and the CA will reject the request.
After the CA validates the CSR and issues your certificate, follow our Proxmox SSL installation instructions to install it on the node. You will pair the issued certificate with the mywebsite.key file that stayed on the server.
Frequently Asked Questions
The private key is written to whatever directory you ran the OpenSSL command from, under the file name you passed to -keyout (for example mywebsite.key). It never leaves the node and is never sent to the CA. Keep it secure and back it up, because the issued certificate only works with this exact key.
Yes. Elliptic-curve (ECDSA) keys are smaller and faster than RSA at the same security level and are supported by all major CAs. Generate the key and CSR in one command:openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout mywebsite.key -out mywebsite.csr -addext "subjectAltName=DNS:mywebsite.com,DNS:www.mywebsite.com"
The prime256v1 curve (also called P-256) is a safe default. The rest of the process, including the prompts in Step 2, is identical.
No. For a free Let’s Encrypt certificate on a publicly reachable host name, the built-in ACME client under Datacenter > ACME handles the request and renews it automatically, with no manual CSR. Generate a CSR by hand when you are buying from a commercial CA, or when you need an OV, EV, or wildcard certificate that the default ACME setup does not issue.
Run openssl req -noout -text -in mywebsite.csr to print the decoded fields (Subject, key size, and any Subject Alternative Names) directly on the node. Add the -verify flag to also confirm the self-signature is valid before you submit the request.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


