bg-tutorials

How to Generate a CSR in Ubuntu

This tutorial shows you how to generate a CSR on Ubuntu, specifically on an Ubuntu-based Apache server reached over SSH. Ubuntu uses OpenSSL for this, so you run two things in one command: a new private key and the matching CSR (Certificate Signing Request). You can pass the subject details as flags, which keeps the whole process to a single, copy-pasteable line.

The steps below work on every supported Ubuntu release (22.04, 24.04, and 26.04 LTS), since each ships with OpenSSL 3.x. They also work on older releases such as 20.04, which shipped OpenSSL 1.1.1, though 20.04 has reached the end of its standard support. Modern OpenSSL signs the request with SHA-256 by default, so you do not need to add a digest flag.

Step 1: Access your Ubuntu server

Connect to the server over SSH from your local machine (Terminal on macOS or Linux, PowerShell or Windows Terminal on Windows). Replace the user name and host with your own:

ssh your-user@your-ubuntu-server

Generate the CSR on the same server that will host the certificate. The private key is created next to the CSR and must stay on that server, so running these commands locally and then copying the key around defeats the purpose.

Step 2: Generate the private key and CSR

Run the following command. It creates a 2048-bit RSA key and a CSR in one step, with the subject and Subject Alternative Names (SANs) supplied inline so OpenSSL does not stop to ask questions:

openssl req -new -newkey rsa:2048 -nodes \
-keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=YourState/L=YourCity/O=YourCompany/CN=yourdomain.com" \
-addext "subjectAltName=DNS:yourdomain.com,DNS:www.yourdomain.com"

What each part does:

  • -newkey rsa:2048 generates a new 2048-bit RSA key. 2048-bit is the current minimum for public certificates; you can use rsa:4096 for a larger key, or switch to ECDSA (see below).
  • -nodes leaves the private key unencrypted so Apache can read it at startup without a passphrase prompt.
  • -keyout and -out name the private key and the CSR files.
  • -subj supplies the certificate subject. Put your real company name, state, and city here, not the placeholders. CN (Common Name) is your primary domain.
  • -addext “subjectAltName=…” lists every hostname the certificate must cover. Public CAs validate against the SAN list, so include the Common Name here too.

Replace yourdomain.com with your actual domain throughout. To cover extra hostnames, add them to the SAN list separated by commas, for example DNS:api.yourdomain.com. For a wildcard, include both the wildcard and the bare domain: DNS:*.yourdomain.com,DNS:yourdomain.com.

If you prefer an ECDSA key (smaller and faster, with P-256 widely supported), generate the key and CSR like this instead:

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \
-keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=YourState/L=YourCity/O=YourCompany/CN=yourdomain.com" \
-addext "subjectAltName=DNS:yourdomain.com,DNS:www.yourdomain.com"

Step 3: Locate your files

List the current directory to confirm both files were created:

ls

You should see two new files:

  • yourdomain.key: your private key. Keep it on the server, back it up securely, and never send it to anyone, including the Certificate Authority. Whoever holds the key can impersonate your site.
  • yourdomain.csr: your Certificate Signing Request. This is the file you submit to the SSL provider.

Step 4: Verify the CSR (optional but recommended)

Before you submit it, check that the CSR contains the right subject and SANs and that its signature is valid. This decodes the request locally with OpenSSL:

openssl req -noout -text -verify -in yourdomain.csr

Confirm that the Subject line shows your details, that X509v3 Subject Alternative Name lists every hostname you expect, and that the signature check prints verify OK. The signature algorithm should read sha256WithRSAEncryption (or ecdsa-with-SHA256 for an ECDSA key). If you would rather not use the command line, paste the CSR into our online CSR decoder to read the same fields in a browser.

Step 5: Submit your CSR

To copy the CSR for your order, print its contents:

cat yourdomain.csr

You will see a block of text like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIBozCB... (a long string of characters)
-----END CERTIFICATE REQUEST-----

Copy the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines (each marker has five hyphens on either side). That whole block is your CSR. Paste it into the order form during your purchase, and keep the matching private key in place on the server.

If you would rather not use the command line, you can also build the request with our online CSR Generator. Note that it generates the private key in your browser, so save that key yourself and move it to the server.

After your CA validates the CSR and issues the certificate, continue with the Ubuntu SSL installation instructions.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.