bg-tutorials

How to Generate a CSR on PRTG Network Monitor

This guide shows you how to generate a CSR (Certificate Signing Request) for PRTG Network Monitor on Windows. PRTG (current 2026 line: version 26.x) has no built-in CSR tool, so you build the request and matching private key on the PRTG core server (or any Windows workstation) with OpenSSL, then submit the request to your Certificate Authority. When the CA returns the issued certificate, you import three exactly-named files into the PRTG cert folder during installation.

Before you start, decide where to run OpenSSL. The CSR is portable, so either machine works. Running it on the PRTG core server itself is convenient because the resulting private key never has to move between hosts.

Generate a CSR for PRTG Network Monitor with OpenSSL

If you already generated your CSR somewhere else and only need to install the issued certificate, skip to how to install an SSL certificate on PRTG Network Monitor.

Step 1: Install OpenSSL for Windows

Windows does not ship OpenSSL. Download the Win64 OpenSSL Light installer from Shining Light Productions, the most widely used community build. The Light package contains only the command-line binaries, which is all you need to make a CSR. If the installer prompts for a Microsoft Visual C++ Redistributable, install it from Microsoft first.

Accept the default install path (C:\Program Files\OpenSSL-Win64) and place the OpenSSL binaries in the Windows bin folder when asked. On 32-bit hosts pick the Win32 build into C:\Program Files (x86)\OpenSSL-Win32 instead. If you prefer not to install at all, you can also run OpenSSL inside WSL or from Git for Windows, both of which bundle the binary.

Step 2: Open a Command Prompt in the OpenSSL bin folder

Press Win + R, type cmd, and press Enter to open a Command Prompt. Then change into the OpenSSL bin directory:

cd "C:\Program Files\OpenSSL-Win64\bin"

The quotes around the path matter because Program Files contains a space. On 32-bit installs, use C:\Program Files (x86)\OpenSSL-Win32\bin instead.

Step 3: Run the OpenSSL command to generate the CSR and private key

Run the following command. It creates a 2048-bit RSA private key and a SHA-256 PKCS #10 CSR in the current folder, named to match the file names PRTG itself expects later (prtg.key for the key, prtg.csr for the request):

openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout prtg.key -out prtg.csr

What each flag does:

  • -new: build a new request.
  • -newkey rsa:2048: generate a fresh 2048-bit RSA private key alongside the request. This is the current minimum every public CA accepts; pick rsa:3072 or rsa:4096 if your policy requires a larger key.
  • -nodes: do not encrypt the private key with a passphrase. PRTG needs an unencrypted key at runtime; using -nodes here saves you a decrypt step later.
  • -sha256: sign the request with SHA-256. Modern OpenSSL uses SHA-256 by default, but stating it explicitly is harmless and guards against older builds that still default to SHA-1.
  • -keyout prtg.key and -out prtg.csr: write the key and CSR to those file names in the current folder.

Why name them prtg.key / prtg.csr now? When you install the issued certificate, PRTG only reads three files from its cert folder, each with an exact name: prtg.crt (server certificate), prtg.key (private key), and root.pem (issuer chain). Naming the key prtg.key at generation time means one less rename later.

Step 4: Fill in the Distinguished Name prompts

OpenSSL asks for the subject details that go into the CSR. Use only standard ASCII characters; non-Latin letters break the request. The examples below are placeholders; substitute your own values:

  • Country Name (2 letter code): your two-letter ISO country code, for example US, GB, DE.
  • State or Province Name (full name): the full state or province name, for example Florida (not FL).
  • Locality Name (eg, city): the city where your organization is registered, written in full, for example Orlando.
  • Organization Name (eg, company): the full legal name of your company, exactly as registered. Required for OV and EV certificates. For Domain Validation (DV) certificates, the field is ignored.
  • Organizational Unit Name (eg, section): a department label such as IT or Network Operations. The CA/Browser Forum has phased this attribute out for public certificates, so leave it minimal or press Enter to skip.
  • Common Name (eg, FQDN): the fully qualified domain name clients use to reach the PRTG web interface, for example prtg.example.com. For a wildcard certificate, use *.example.com.
  • Email Address: a valid contact address for the certificate request. Leave blank if your CA does not require it.
  • A challenge password and An optional company name: press Enter to leave both blank. These are legacy attributes that public CAs ignore.

When the command finishes, you have two files in your working folder:

  • prtg.key: your unencrypted RSA private key. Keep it on the PRTG server only and never share or commit it anywhere.
  • prtg.csr: the Certificate Signing Request you submit to your CA.

A note on Subject Alternative Names (SAN)

The interactive prompts above only collect the Common Name. Modern browsers and TLS clients validate the hostname against the Subject Alternative Name extension and ignore the Common Name for trust decisions. Public CAs work around this by copying the CN into a SAN entry for single-name orders, so a single-hostname CSR built this way still works.

If you need more than one hostname on the same certificate (for example prtg.example.com and monitor.example.com, or a multi-domain certificate), the interactive flow cannot encode them. Three options:

  • On OpenSSL 1.1.1 or newer, add the names inline with -addext. Append -addext "subjectAltName = DNS:prtg.example.com, DNS:monitor.example.com" to the openssl req command above — no config file needed.
  • Add a small OpenSSL config file that lists the SAN entries, then point openssl req at it with -config and -extensions v3_req. The config sets subjectAltName under a [v3_req] section, for example subjectAltName = DNS:prtg.example.com, DNS:monitor.example.com.
  • Generate the CSR off-server with our CSR Generator, which builds a SAN-aware request from a single form.

Verify the CSR before you submit it

It is worth confirming the Common Name, key size, and signature algorithm before sending the request to your CA. From the same OpenSSL prompt:

openssl req -noout -text -in prtg.csr

You should see the subject line you entered, a 2048-bit RSA public key, and Signature Algorithm: sha256WithRSAEncryption. To check it online instead, paste the CSR contents into our CSR Decoder and read back the same fields.

Copy the CSR and submit it to the CA

Open prtg.csr in Notepad (or any text editor). You will see a block that begins with five hyphens, the words BEGIN CERTIFICATE REQUEST, five more hyphens, then base64 text, then a matching END line:

-----BEGIN CERTIFICATE REQUEST-----
MIIC2TCCAcECAQAwgZMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRAw
... (many lines of base64) ...
-----END CERTIFICATE REQUEST-----

Select the entire block (including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines, the five hyphens on each side, and every line in between), copy it, and paste it into the CSR field on your CA’s order form.

When the CA validates the request and issues your certificate, continue with how to install an SSL certificate on PRTG Network Monitor. Plan ahead for two specifics PRTG enforces at install time: the three files must be named exactly prtg.crt, prtg.key, and root.pem, and the PEM files must use Windows (CRLF) line endings or the PRTG Core Server service will refuse to start.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.