How to generate a private key and CSR from the command line

The creation of a private key and CSR (Certificate Signing Request) via the command line is explained in this article. If you wish to get an SSL certificate for a system—like a dedicated server or unmanaged virtual private server—that does not have cPanel access, you might have to do this.

If your account includes cPanel or Plesk access, you do not have to follow the procedure below. Instead, you can use the SSL/TLS Manager in cPanel or the SSL/TLS Certificates tool in Plesk to generate a private key and CSR. For cPanel instructions, please see this article. For Plesk instructions, please see this article.Table of Contents

• Generating a private key and CSR

Generating a private key and CSR

To generate a private key and CSR from the command line, follow these steps:

1. Log in to your account using SSH.
2. At the command prompt, type the following command:Copyopenssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csrThis command creates a private key file named server.key and a CSR named server.csr. You can change these filenames to anything you want.
3. At the Country Name prompt, type the two-letter country code for your location, and then press Enter.
   Make sure you use the correct two-letter country code (for example, US or FR). For a complete list of these codes, please visit http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm.
4. At the State or Province Name prompt, type the appropriate response for your location, and then press Enter.
5. At the Locality Name prompt, type the town or city name for your location, and then press Enter.
6. At the Organization Name prompt, type your company or organization name, and then press Enter.
7. At the Organizational Unit Name prompt, type the appropriate response for your organization, and then press Enter. Alternatively, to leave this field blank, just press Enter.
8. At the Common Name prompt, type the domain name that you want to secure with the SSL certificate, and then press Enter.
   The common name is often simply your domain name, such as example.com. Or, if you are going to install an SSL certificate for a subdomain, subdomain.example.com. However, if you are going to install a wildcard certificate, make sure that you use *.example.com, where example.com represents your domain name.
9. At the Email Address prompt, type the e-mail address that you want to associate with the certificate, and then press Enter.
10. At the Challenge password prompt, press Enter.
11. At the Optional company name prompt, press Enter.
12. OpenSSL generates the private key and CSR files. If you typed the command in step 2 exactly as shown, the files are named server.key and server.csr. You can now send the text in the server.csr file to the signing authority to obtain your certificate. (Do not send the information in your private key!)
    You can view and verify the information contained in the CSR. To do this, type the following command:
    Copyopenssl req -noout -text -in server.csr