This tutorial shows you how to generate a CSR (Certificate Signing Request) on Webmin. Webmin is a browser-based control panel for Linux servers, so you have two practical ways to create the CSR: through Webmin’s built-in SSL modules (a graphical form for the Webmin panel itself or for an Apache virtual host) or with the OpenSSL command line through Webmin’s built-in terminal. The OpenSSL route is the most flexible and produces a key and CSR you can use with any web server (Apache, Nginx, Lighttpd, or anything else Webmin manages).
The steps below assume modern Webmin 2.x and OpenSSL 3.x, which are the current versions on every supported Linux distribution in 2026 (Ubuntu 22.04 / 24.04 / 26.04, Debian 12 and 13, RHEL 9 and 10, Rocky 9 and 10, AlmaLinux 9 and 10, openSUSE Leap 15.6 and Tumbleweed). The output is a standard PEM-encoded CSR signed with SHA-256, which any public Certificate Authority accepts.
Step 1: Log in to Webmin
Open Webmin in a browser at the URL of your server on port 10000:
https://yourwebsite.com:10000
Replace yourwebsite.com with your server’s hostname or IP address. Port 10000 is the default Webmin port. Sign in with the root account or a Webmin user that has permission to manage SSL.
Step 2: Open the Webmin terminal
Webmin 2.x ships with a built-in terminal you can use without opening a separate SSH session. In the left pane, just below the Refresh Modules link, click the Terminal icon (second icon from the left), or press Alt + K to open it. A shell prompt appears, running as the user you signed in with.
If you prefer a direct SSH connection from your own machine, connect to the same server and run the command in the next step there instead. The result is identical.
Step 3: Generate the private key and CSR with OpenSSL
In the terminal, run the command below. It creates a 2048-bit RSA key and a matching CSR in one step, with the subject and Subject Alternative Names (SANs) supplied inline so OpenSSL does not stop to ask interactive questions:
sudo openssl req -new -newkey rsa:2048 -noenc \
-keyout /etc/ssl/private/yourwebsite.com.key \
-out /etc/ssl/private/yourwebsite.com.csr \
-subj "/C=US/ST=California/L=San Jose/O=Your Company LLC/CN=yourwebsite.com" \
-addext "subjectAltName=DNS:yourwebsite.com,DNS:www.yourwebsite.com"
On Debian and Ubuntu, the /etc/ssl/private/ directory already exists. On RHEL, Rocky, AlmaLinux, and Fedora, the convention is /etc/pki/tls/private/ for keys and /etc/pki/tls/certs/ for the CSR. Pick paths your web server can read, or save the files in your home directory and move them later. If the target directory does not exist, create it first with sudo mkdir -p /etc/ssl/private.
What each part of the command does:
- -newkey rsa:2048 generates a new 2048-bit RSA key. 2048-bit is the current minimum for public certificates. Use rsa:4096 for a larger key, or switch to ECDSA (see below).
- -noenc leaves the private key unencrypted so the web server can read it at startup without a passphrase prompt. (On OpenSSL 1.x the equivalent flag is -nodes; both still work in OpenSSL 3.x.)
- -keyout and -out name the private key file and the CSR file.
- -subj supplies the certificate subject inline. Replace the example values with your real details:
- C: two-letter country code where your organization is legally registered (for example, US).
- ST: full state or province name (for example, California), no abbreviations.
- L: full city or town name (for example, San Jose).
- O: legal organization name. For a Domain Validation (DV) certificate, leave it out or set it to your domain.
- CN: Fully Qualified Domain Name (FQDN) of the site you want to secure (for example, yourwebsite.com).
- -addext “subjectAltName=…” lists every hostname the certificate must cover. Public CAs validate against the SAN list, so include the Common Name here as well. For a wildcard, include both the wildcard and the apex: DNS:*.yourwebsite.com,DNS:yourwebsite.com. Wildcards cover one subdomain level and do not match the apex on their own.
If you prefer an ECDSA key (smaller and faster, with P-256 widely supported), use this variant instead:
sudo openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -noenc \
-keyout /etc/ssl/private/yourwebsite.com.key \
-out /etc/ssl/private/yourwebsite.com.csr \
-subj "/C=US/ST=California/L=San Jose/O=Your Company LLC/CN=yourwebsite.com" \
-addext "subjectAltName=DNS:yourwebsite.com,DNS:www.yourwebsite.com"
The backslash at the end of each line is a shell line continuation, so the command stays one logical instruction split across several lines for readability. If your terminal does not handle the multi-line form well, paste the whole command on a single line.
Step 4: Protect the private key
List the directory to confirm both files were created:
sudo ls -l /etc/ssl/private/yourwebsite.com.*
You should see two new files:
- yourwebsite.com.key: the private key. It must stay on the server, must never be sent to the Certificate Authority, and must never be emailed or pasted into any form. Whoever holds the key can impersonate your site.
- yourwebsite.com.csr: the Certificate Signing Request. This is the only file you submit to the SSL provider.
Restrict permissions on the private key so only root can read it:
sudo chmod 600 /etc/ssl/private/yourwebsite.com.key
On distributions with SELinux enabled (RHEL, Rocky, AlmaLinux, Fedora), reapply the correct SELinux context after moving the key into its final location, for example sudo restorecon -Rv /etc/pki/tls/.
Step 5: Verify the CSR (optional but recommended)
Before you submit the CSR, confirm it contains the right subject and SANs and that its signature is valid:
openssl req -noout -text -verify -in /etc/ssl/private/yourwebsite.com.csr
Check that the Subject line matches your details, that X509v3 Subject Alternative Name lists every hostname you expect, and that the signature check prints verify OK. The signature algorithm should read sha256WithRSAEncryption (or ecdsa-with-SHA256 for an ECDSA key). If you would rather not use the command line, paste the CSR text into our online CSR decoder to read the same fields in a browser.
Step 6: Copy and submit the CSR
Print the CSR so you can copy it:
sudo cat /etc/ssl/private/yourwebsite.com.csr
You will see a block of text like this:
-----BEGIN CERTIFICATE REQUEST-----
MIIBozCB... (a long string of characters)
-----END CERTIFICATE REQUEST-----
Copy the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines (each marker has five hyphens on either side). Paste it into the order form when you purchase your SSL certificate, and leave the matching private key in place on the server.
Generate a CSR through Webmin’s graphical modules
If you would rather avoid the command line, Webmin includes two graphical forms that create a CSR for you. Pick the one that matches what the certificate is for.
For an Apache virtual host (your website)
- Go to Servers > Apache Webserver.
- Open the Global Configuration tab, click Configure Apache Modules, tick the ssl module, and click Enable Selected Modules if it is not already on.
- On the Existing virtual hosts tab, open the port 443 virtual host (or create one) by clicking its globe icon.
- On the Virtual Server Options page, choose SSL Options, then click Create signing request.
- Fill in the form (country, state, city, organization, common name, email, key size 2048 or higher, and any Subject Alternative Names), choose where Webmin should write the .csr and .key files, and click Create Now.
The two files appear at the paths you specified. Use the .csr for your order and keep the .key on the server.
For the Webmin panel itself (port 10000)
If you only need a certificate for the Webmin login interface, not for a website, generate the CSR from the Webmin configuration module:
- Go to Webmin > Webmin Configuration > SSL Encryption.
- Open the Create Signing Request tab.
- Fill in the host name (the public name you reach Webmin at), country, state, city, organization, email, and key size, then click Create.
Webmin writes the request and the matching key under /etc/webmin/. After the CA returns the issued certificate, install it from the same SSL Encryption page so it replaces the default /etc/webmin/miniserv.pem file.
After you receive the certificate
Once the Certificate Authority validates your CSR and issues the certificate, install it on the server. The exact steps depend on which service the certificate is for:
- Install an SSL certificate on Webmin (Apache through Webmin).
- Install an SSL certificate on Apache directly.
- Install an SSL certificate on Nginx if you serve sites with Nginx instead.
If you prefer a fully graphical workflow that runs in your browser, you can also build the CSR with our online CSR Generator. It generates the private key in your browser, so save the key yourself and move it to the server before you complete the install.
Frequently Asked Questions
Wherever you tell it to. With the OpenSSL command, the files are written to the paths you pass with -keyout and -out. With the Apache module’s Create signing request form, you choose the output paths in the form itself. With Webmin > Webmin Configuration > SSL Encryption, Webmin writes them under /etc/webmin/. On Debian and Ubuntu, the conventional place for keys is /etc/ssl/private/; on RHEL, Rocky, AlmaLinux, and Fedora it is /etc/pki/tls/private/.
Either works. Webmin’s built-in terminal (the icon in the left pane, or Alt + K) is convenient because you are already signed in, but the same OpenSSL command run over a normal SSH session produces an identical CSR and key. Use whichever you find easier.
They do the same thing: tell OpenSSL to leave the private key unencrypted on disk so the web server can read it at startup without a passphrase prompt. -nodes is the historical name and still works in OpenSSL 3.x. -noenc is the newer alias introduced in OpenSSL 3.0 and is the spelling preferred going forward. Use whichever your habit prefers.
Yes. A CSR is a standard PEM-encoded request defined by PKCS #10, and any CA can sign it regardless of where it was created. The CSR you generate in Webmin’s terminal, through the Apache module’s Create signing request form, or with our online CSR Generator all produce the same kind of file. What matters is that the private key created at the same time stays on the server you plan to install the certificate on.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


