bg-tutorials

How to Generate the CSR on Red Hat Linux

This guide shows you how to generate a CSR (Certificate Signing Request) on Red Hat Enterprise Linux using the OpenSSL command line. The process produces two files:

  • A private key, which stays on your server and is never shared.
  • A CSR, which you send to your Certificate Authority (CA) when you order the certificate.

It covers two approaches: a single-command method for modern OpenSSL, and a config-file method for older OpenSSL versions that do not support inline extensions. Both produce a SAN-compliant CSR signed with SHA-256, which is what public CAs require.

Before you start: check your OpenSSL version

OpenSSL is included by default on every supported RHEL release. Confirm it is present and check the version, because the version decides which method below you can use:

openssl version

What ships with each current Red Hat release:

  • RHEL 10 (released 2025, the current major version): OpenSSL 3.x
  • RHEL 9: OpenSSL 3.x
  • RHEL 8: OpenSSL 1.1.1
  • RHEL 7: OpenSSL 1.0.2 (RHEL 7 reached end of maintenance support in 2024; move these workloads to a supported release when you can)

OpenSSL 1.1.1 and 3.x support the inline extension flag used in the one-command method, so on RHEL 8, 9, and 10 you can use Option A below. If openssl version reports 1.0.2 or older (RHEL 7), use the config-file method in Option B.

If OpenSSL is somehow missing, install it with the package manager for your release:

# RHEL 8, 9, and 10
sudo dnf install openssl
# RHEL 7
sudo yum install openssl

On RHEL 8 and later, yum is a compatibility alias for dnf, so either command works on those versions.

Option A: one command (OpenSSL 1.1.1 and 3.x)

This is the quickest path on RHEL 8, 9, and 10. It generates the private key first, then builds the CSR with the Subject Alternative Names (SANs) added inline.

Step 1: Generate the private key

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out example.com.key

This creates a 2048-bit RSA private key named example.com.key in the current directory. 2048-bit RSA is the minimum accepted by public CAs; for a modern elliptic-curve key instead, replace the algorithm options with -algorithm EC -pkeyopt ec_paramgen_curve:P-256. Keep this file private: it stays on your server and is never sent to the CA.

Step 2: Create the CSR with SANs

Run the following command, adjusting the subject fields and domain names to match your own:

openssl req -new -sha256 -key example.com.key -out example.com.csr \
-subj "/C=US/ST=California/L=San Jose/O=Your Company LLC/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:www.example.com"

Replace example.com with your actual domain throughout, and set the subject fields to your details:

  • C: two-letter country code (for example, US).
  • ST: full state or province name.
  • L: city or locality.
  • O: legal organization name (for a single-domain DV certificate this can be left out).
  • CN: the primary fully qualified domain name, for example www.example.com.

List every host name the certificate must cover in the subjectAltName value. Modern browsers validate against the SAN list, not the Common Name, so include each name there, including the primary domain. The command writes the CSR to example.com.csr.

Option B: config file method (older OpenSSL)

If openssl version reports a build that does not support the -addext flag (OpenSSL 1.0.2 and older, as on RHEL 7), define the SANs in a small configuration file instead.

Step 1: Create a config file (san.cnf)

Create a file named san.cnf with a text editor and paste in the following, editing the values for your domain and organization:

[ req ]
default_bits = 2048
prompt = no
distinguished_name = dn
req_extensions = req_ext

[ dn ]
C = US
ST = California
L = San Jose
O = Your Company LLC
CN = example.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = example.com
DNS.2 = www.example.com

Add more host names by continuing the numbering: DNS.3, DNS.4, and so on.

Step 2: Generate the key and CSR

Generate the private key:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out example.com.key

Then create the CSR using the config file:

openssl req -new -sha256 -key example.com.key -out example.com.csr -config san.cnf

Verify the CSR

Before you submit it, confirm the CSR contains the right details and a valid signature. This command prints the subject, the SAN list, the key size, and verifies the request’s self-signature:

openssl req -noout -text -verify -in example.com.csr

Check that the Subject line and the X509v3 Subject Alternative Name entries list every domain you expect, that the public key is at least 2048-bit RSA (or a P-256 elliptic-curve key), and that the signature algorithm is SHA-256. A line reading certificate request self-signature verify OK (older builds say verify OK) means the CSR and private key match. If you prefer a browser, paste the CSR into our online CSR decoder to review the same details.

Submit the CSR

Open the example.com.csr file in a text editor and copy its entire contents, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- marker lines (each marker uses five hyphens on either side). Paste the whole block into the order form when you request the certificate from your SSL vendor.

Keep the private key, example.com.key, on the server. Do not send it to the CA or paste it anywhere: it is the secret half of the pair and must never leave your control. After the CA validates the CSR and issues the certificate, follow our Red Hat Linux SSL installation instructions to install it.

Frequently Asked Questions

Where is the private key stored when I generate a CSR on RHEL?

The private key is written to the file you name in the -out option (for example, example.com.key) in the directory where you ran the command. It is created locally and never included in the CSR. Back it up somewhere safe and restrict its permissions, because you need this exact key to install the certificate the CA issues.

Should I use RSA or ECDSA for the key?

Both are accepted. 2048-bit RSA is the widely compatible default and the minimum public CAs allow. An elliptic-curve key (ECDSA P-256) is smaller and faster while offering equivalent security; generate one by replacing the key options with -algorithm EC -pkeyopt ec_paramgen_curve:P-256. Either way, the CSR must be signed with SHA-256, which the commands above already do.

My OpenSSL version does not support -addext. What do I do?

The -addext flag was added in OpenSSL 1.1.1. If you are on an older build (OpenSSL 1.0.2 on RHEL 7, for example), use the config-file method in Option B, which defines the Subject Alternative Names in a san.cnf file instead of on the command line.

How do I check that my CSR is correct before ordering?

Run openssl req -noout -text -verify -in example.com.csr on the server. It prints the subject, the full SAN list, the key type and size, and the signature algorithm, and it confirms that the CSR matches its private key. Review those fields before you paste the CSR into the order form.

Which part of the CSR do I paste into the order form?

Paste the entire block, from -----BEGIN CERTIFICATE REQUEST----- through -----END CERTIFICATE REQUEST----- inclusive, with no characters left out. Both marker lines use five hyphens on each side. Do not paste the private key.

Does this work the same on AlmaLinux, Rocky Linux, and CentOS?

Yes. AlmaLinux, Rocky Linux, and CentOS Stream are binary-compatible with the matching RHEL release and ship the same OpenSSL, so the commands are identical. We also have a dedicated tutorial on how to generate a CSR on CentOS if you need it.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.