bg-tutorials

How to Generate a CSR on Virtualmin

This tutorial shows you how to generate a CSR (Certificate Signing Request) on Virtualmin, the open-source hosting control panel that runs on top of Webmin.

The graphical form does the work for you: it builds a 2048-bit (or larger) RSA private key on the server, writes a PKCS #10 request with your subject and any Subject Alternative Names, and stores both files under your virtual server’s ssl/ directory. You then submit the CSR to your Certificate Authority and the matching private key never leaves the server.

The steps below cover Virtualmin 7.x (the current stable line), which uses the Manage SSL Certificate page for the virtual server certificate and the built-in Let’s Encrypt integration. If your virtual server is brand new, generate the CSR before you place the order; if you already have a CSR and a certificate from a previous order, skip ahead to installing the certificate on Virtualmin.

Step 1: Sign in to Virtualmin and select the virtual server

Open Virtualmin in your browser (the default URL is the Webmin port on your server):

https://yourserver.example.com:10000

Sign in as root or as a Virtualmin master administrator. In the top-left drop-down (the virtual server selector), pick the domain you want to secure. Virtualmin scopes every configuration page to the selected virtual server, so the CSR you build in the next step belongs to that domain and is written to its own ssl/ directory.

If you need a certificate for the Virtualmin panel itself (the login page on port 10000), generate it from Webmin and then Webmin Configuration and then SSL Encryption instead, following our guide on how to generate a CSR on Webmin. The rest of this guide covers the website certificate, which is the common case.

Step 2: Open the Signing Request tab

With the right virtual server selected in the drop-down, go to Server Configuration and then Manage SSL Certificate. The page that opens has a row of tabs across the top. Open the Signing Request tab (older Virtualmin 6 builds label it Create Signing Request).

The same form is also reachable from Manage Virtual Server and then Setup SSL Certificate and then Create Signing Request. Either entry point opens the same dialog.

Step 3: Fill in the CSR details

Complete the form using only standard ASCII characters; non-Latin letters and accented characters will break the request at most CAs.

  • Server name: the Fully Qualified Domain Name (FQDN) you want to secure, for example www.example.com. Virtualmin pre-fills the box with the virtual server’s domain; change it if you want the certificate to cover a different hostname (for instance, the bare apex or a subdomain). For a wildcard, put an asterisk in front of the apex: *.example.com. This value goes into the certificate’s Common Name.
  • Email address: a working contact mailbox. Some CAs use it for validation notices; it does not appear in the issued certificate.
  • Department (Organizational Unit): leave it blank. The CA/Browser Forum has phased the OU attribute out of publicly trusted certificates, so any value you enter here is stripped during issuance.
  • Organization: the full legal name of your company, exactly as registered, for example Your Company LLC. Required for Organization Validation (OV) and Extended Validation (EV) certificates. For Domain Validation (DV) certificates, the field is not validated, so a short placeholder is fine if you do not have a registered entity.
  • City or Location: the city where your organization is registered, written in full (for example Los Angeles, not LA).
  • State: the full state or province name (for example California), no abbreviations.
  • Country: the two-letter ISO 3166-1 code for your country (for example US, GB, DE).
  • Key size: 2048 bits is the current minimum every public CA accepts and the safe default. Pick 3072 or 4096 only if your policy requires a larger key; the trade-off is a slightly slower TLS handshake.
  • Alternate hostnames (Subject Alternative Names): list every extra hostname the certificate must cover, one per line or space-separated. Always include the apex if your Common Name is www.example.com (so the certificate covers example.com too), and include the www variant if your Common Name is the apex. Modern browsers ignore the Common Name and validate against the SAN list only, so leaving this empty produces a certificate that browsers will not trust for any extra hostnames.

Review every field. The CA will reject a CSR that does not match its validation data, and a CSR with a typo means generating and submitting a new one.

Step 4: Generate the CSR

Click Generate CSR Now. Virtualmin creates the private key and the matching CSR on the server and prints both to the screen. The CSR looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIC4DCCAcgCAQAwgZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
... (many lines of base64) ...
-----END CERTIFICATE REQUEST-----

The private key is displayed below the CSR in a separate box, framed by —–BEGIN PRIVATE KEY—– and —–END PRIVATE KEY—– lines. You do not need to copy it: Virtualmin already saved it to the server. Behind the scenes, both files are written under the virtual server’s home directory, typically:

/home/<user>/domains/<yourdomain>/ssl.csr
/home/<user>/domains/<yourdomain>/ssl.key

Leave the private key in place. The CA never sees it, and Virtualmin will pair it automatically with the issued certificate when you install the issued certificate on the Update Certificate and Key tab.

Step 5: Copy the CSR and submit it to the CA

Select the full CSR block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines (each marker has five hyphens on either side). Copy it and paste it into the CSR field on your SSL order form. The CA reads the subject, the SAN list, and the public key from the request, then issues a certificate that matches.

Before you submit, it is worth confirming the request contains the values you intended. Paste the CSR text into our CSR decoder to read back the Common Name, the SAN list, the key size, and the signature algorithm in a browser. Confirm the Common Name matches the hostname your visitors use and that every required name appears under the Subject Alternative Name list. Catching a typo here saves a reissue cycle later.

Alternative: skip the CSR with Virtualmin’s Let’s Encrypt integration

If a free Domain Validation certificate is all you need, you can skip the manual CSR step entirely. Virtualmin ships with a built-in Let’s Encrypt client that requests, installs, and auto-renews the certificate without any manual file handling.

  • On the same Server Configuration and then Manage SSL Certificate page, open the SSL Providers tab (older builds label it Let’s Encrypt).
  • Pick the domains to cover under Request certificate for, add extras under Domain names listed here, and tick Also request wildcard certificate if Virtualmin manages your DNS and you want all subdomains in one certificate.
  • Leave Automatically renew certificate enabled. Let’s Encrypt certificates are valid for 90 days, and auto-renewal keeps them current with no manual work.
  • Click Request Certificate. Issuance takes a few seconds to a few minutes, after which Virtualmin installs the certificate on the virtual server automatically.

Let’s Encrypt issues Domain Validation certificates only. If you need Organization Validation, Extended Validation, a longer warranty, or dedicated support, use the manual CSR flow above and order from a commercial CA.

After the CA issues your certificate

Once the Certificate Authority validates the CSR and emails your issued certificate, return to Manage SSL Certificate and paste the signed certificate on the Update Certificate and Key tab, then paste the intermediate chain on the CA Certificate tab. Full step-by-step coverage is in our how to install an SSL certificate on Virtualmin guide. After that, use the Copy to … buttons on the same page to apply the certificate to Webmin, Usermin, Postfix, Dovecot, and ProFTPd so the panel and mail services present the same trusted certificate as the website.

If you would rather avoid the panel and build the CSR off-server in your browser, our CSR Generator produces a SAN-capable PKCS #10 request from a single form. The trade-off is that the private key is generated alongside the CSR in your browser, so download and save the key yourself and move it to the server before you complete the install.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.