How to generate a CSR with OpenSSL

1. What a CSR contains
2. Generate a private key and CSR
3. Generate a CSR with Subject Alternative Names (SAN)
4. Generate a CSR from an existing key
5. Verify the CSR before sending it

#What a CSR contains

A Certificate Signing Request bundles the details of the certificate you want — your domain name and organisation info — and your public key, all signed by your private key. The CA uses it to issue a certificate. The private key it's generated alongside stays with you and is never sent to the CA.

#Generate a private key and CSR

This single command creates a new 2048-bit private key and a matching CSR:

openssl req -new -newkey rsa:2048 -nodes \
  -keyout domain.key -out domain.csr

You'll be prompted for the certificate details. The important one is Common Name — it must be the exact domain you're securing, for example www.example.com.

-nodes leaves the private key unencrypted, which is what web servers expect. Two files result:

• domain.key — your private key. Keep it safe; you'll need it to install the certificate.
• domain.csr — the request to send to your CA.

#Generate a CSR with Subject Alternative Names (SAN)

Modern certificates should list every hostname under SAN, not just the Common Name. Pass them inline:

openssl req -new -newkey rsa:2048 -nodes \
  -keyout domain.key -out domain.csr \
  -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

#Generate a CSR from an existing key

If you already have a private key and just need a new request (for a renewal, say):

openssl req -new -key domain.key -out domain.csr

#Verify the CSR before sending it

Always check the request decodes correctly and lists the right names:

openssl req -in domain.csr -noout -text

Once your CA returns the signed certificate, you may need to convert it to another format and make sure you serve the complete certificate chain. For local development where you don't need a CA at all, generate a self-signed certificate instead.