Generating a Certificate Signing Request (CSR)

With OpenSSL

The SCC provides a CSR generator for generating certificate requests (CSR) with OpenSSL. Especially if you apply for server certificates more frequently or if additional alternative DNS names are to be included in the application, you can use it to simplify the creation.

Bold designations are mandatory. Designations in bold italics must be replaced by the user's own name.
Information that should not be entered in OpenSSL (e.g. email address) must be deselected by entering a dot.

When creating a server certificate request, the complete server name (FQDN) must be entered in Common Name (eg, YOUR name) [ ].
The certificate must no longer contain an e-mail address.

  1. Open a shell
  2. Change to a directory where you want to temporarily store the CSR and the private key
  3. Enter the following command and answer the queries:

openssl req -nodes -newkey rsa:4096 -keyout servername.key -out servername.csr

Generating a 4096 bit RSA private key
......+++
..........................................+++
writing new private key to 'servername.key'

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Thueringen
Locality Name (eg, city) []:Weimar
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bauhaus-Universitaet Weimar
Organizational Unit Name (eg, section) []:Bereichsname
Common Name (eg, YOUR name) []:servername.uni-weimar.de
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.

Executing this OpenSSL command creates two files:

  • servername.key: contains the private key, which must be kept carefully
  • servername.csr: contains the Certificate Signing Request; download this and submit it via the web interface;
    the subscriber service (TS) in the SCC releases it after checking your details and your authorisation to request the certificate

The content of the request can be listed for checking with the command openssl req -noout -text -in servername.csr.

You will receive an e-mail with links to download the completed certificate.