Generate SSL key and CSR with OpenSSL

It is really easy to generate SSL key and CSR using OpenSSL, and the next several steps will guide you trough the process.

If you are on Linux server, OpenSSL can be downloaded from here: OpenSSL source – or you can use your package management software like YUM install or apt-get. For Windows users, you can use: Win32OpenSSL.

Once you have OpenSSL installed, we can generate SSL certificate key

openssl genrsa -rand /var/log/messages:/var/log/messages.1:/var/log/messages.10.gz -out www.freetutorialssubmit.com 2048

The following will appear:

2199 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.+++
………………………………………………………………………………………………………………..+++
e is 65537 (0x10001)

The above command will generate SSL key using ‘-rand’ option with few big files for sources and 2048 encryption. The reason of using some big files with ‘-rand’ option is because there are no absolute random generation with computers – but that is different story. Recently the minimum allowed encryption by the SSL issuers is 2048 bits so make sure you will generate your key with this number or with 4096 bit SSL key.

There is another command which can be used :

openssl genrsa -des3 -out www.freetutorialssubmit.com.key 2048

After executing it, the output will be:

Generating RSA private key, 2048 bit long modulus
…………………………………………..+++
………………………………………………..+++
e is 65537 (0x10001)
Enter pass phrase for www.freetutorialssubmit.com.key:
Verifying – Enter pass phrase for www.freetutorialssubmit.com.key:

When you generate SSL key with this command will require password, which is good when the key is transported, but once set on a Web Server it will ask for a password every time it is restarted. If you have chosen this method, the next command will remove the SSL key password.

openssl rsa –in ww.freetutorialssubmit.com.key -out ww.freetutorialssubmit.com.no_key

If you open the SSL key file it should be similar to this one:

—–BEGIN RSA PRIVATE KEY—–
MIIEowIBAAKCAQEAxw/rAvWL8H2T+y9ysEZ+dimX0tcnmOLpsKiw+y8UxJL7xmij
tK/mQuXmlKsAKX28V3NdgWf0EDGkax3TgbAArt8KouynTZs1cP/0hC1wmyC7Y285
NXwSbi/RNZG1thwUg5m0JFrwExPtC6yFz5dPUb/RpwqZ5gRlPSfdK8vC3DVgBwcR
B2cr7TEy9G98UQEg1ZphHb+8BN8huhy5h4CeHvGtqAdRe9u7o8kP1ZJ2sTsfQjW8
WDQp+DvZXMC20rv+TmE2OsR3qsc9ytrpcZEJsMaXeInhSj64jvI5aS9B4jNnEHK2
Km/wGqqZ9sbg3a6YQaLY+oa+04t40uZB+/AEAwIDAQABAoIBAGeJ+AtJ/MfSCa6V
N2pIwG5lo/qevpHfNP4WQDfmfT7h1OOWec/5ziLtwcmCSEtMgzJZZ0Fv+JqTt5mf
oevKyBAtIzMrNLpBCMMF3wEBQZjupYlKyM7xAgUeCgt7BrD6WhE5WWGviz/hFWMF
EXSwlylGRJ5F/VaO4rm0im3FRk2S6pu1aV2MXDGBMV6bTM2FblJ47wenBY2zy8YC
tLkG5EoFiLH8fSvyLsiqEaGANXs+sBLFNcokDQVhuwmZcl8h4eUrPW/fB5wzyM3z
5SH8K8Gx2AcfU5ovwu+YV2vIDy5hy98iJwTsG13YWTruB8nDhQ0DcAqRAdkCJdPb
f1Utn0ECgYEA64BDx8ynjE3fVMPCpHyMGtmX9r8hCW3W2Pc78VFvaX8UfxaqFHrH
vMfaJrjCaI9Kebf80eT/MgF7r0wMPjuJN/TlOdTzpvcrWBDD3ipcnv6rvGNoYoYk
7ihPleTvqLyD3albpT1luXtPbMZmPTogpY4ycuWcuaC2bis8XpMdKl0CgYEA2GOt
FBjCrKz6QABlYfJ68UHyqc85XS5c/FOAZMBInonND2PYSbzkc7Fj7cWfhLRDWgI4
2f43vRMtgaL3MJxVUB6grNQmEoZX6NaIVNTsVoZihJ7WrOVcFItRx1pv0e8vnCP+
7Yu/SqyqfSFsVZjGffY+fpv3NGf5CcTK2SF4wd8CgYAJUkBcjisrkIGAd2ci35Mk
FOzA5XvHRcO1PsPun0yLnm4PQbRlrx5syHRICBQZ02IdQz0MicXYEtr0a0wowm6B
+n2ANn+WYj4i9DbsejzERkxB3qVpEOoxSwMraa5avWtywJtSBQYbu1e/dHLjhYN5
ShGRHql/Z28RGUEAdU44OQKBgQDCqDALkxaVFWptZq3NBb95BnVQMp0M6Oc3CbrH
Z34sOBRi0tO/yY/NT3dwbsXIMA0ijDsuRxVHHlhidQJfFVNdpp+tuY6iPX4Zc9vi
TERqtassWGMP16gUxxuC9SUAOmWe1Xa/pGYpu9gGhqmY+r0clQa1CILB/wI1unUs
DINACwKBgAPLLSKkbwB8xS86F8ukmmLTHSaQJrVl5CMUdJDaz+6tnjwuuiNBjgiV
3/d0Kd8BKUsnJyHU2zHVtW1RhrvWLJAL2kBFASTnQTb3Ggw26fnIhz1nevu+e0AM
shzXKHZVqH6gnUNdOTIZIMypdp5cDqlLR80U0quD+/K3CHB032p3
—–END RSA PRIVATE KEY—–

Now to generate CSR from a key use OpenSSL with this options:

openssl req -new -key www.freetutorialssubmit.com.key -out www.freetutorialssubmit.com.csr

You will be asked few questions for the certificate:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Diego
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Freetuts Ltd.
Organizational Unit Name (eg, section) []:Security
Common Name (eg, YOUR name) []:www.freetutorialssubmit.com
Email Address []:admin@freetutorialssubmit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

When you are ready with the CSR information, and you open the CSR file, it should look similar to this:

—–BEGIN CERTIFICATE REQUEST—–
MIIC+zCCAeMCAQAwgbUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRIwEAYDVQQHEwlTYW4gRGllZ28xFjAUBgNVBAoTDUZyZWVUdXRzIEx0ZC4xETAP
BgNVBAsTCFNlY3VyaXR5MSQwIgYDVQQDExt3d3cuZnJlZXR1dG9yaWFsc3N1Ym1p
dC5jb20xLDAqBgkqhkiG9w0BCQEWHWFkbWluQGZyZWV0dXRvcmlhbHNzdWJtaXQu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxw/rAvWL8H2T+y9y
sEZ+dimX0tcnmOLpsKiw+y8UxJL7xmijtK/mQuXmlKsAKX28V3NdgWf0EDGkax3T
gbAArt8KouynTZs1cP/0hC1wmyC7Y285NXwSbi/RNZG1thwUg5m0JFrwExPtC6yF
z5dPUb/RpwqZ5gRlPSfdK8vC3DVgBwcRB2cr7TEy9G98UQEg1ZphHb+8BN8huhy5
h4CeHvGtqAdRe9u7o8kP1ZJ2sTsfQjW8WDQp+DvZXMC20rv+TmE2OsR3qsc9ytrp
cZEJsMaXeInhSj64jvI5aS9B4jNnEHK2Km/wGqqZ9sbg3a6YQaLY+oa+04t40uZB
+/AEAwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAA+j9DGYVSPthNn/zwy43kFv
bcXborvJXbU0AxJwFlHkMnHd5kCzX7lxWnca7KRTbyYsWgE8gPyTgdajPp7iCdpa
L5lIciGtlnhOo6AXvKG8SV92En37YBY5geNDRYFbyQuLkC2lXKdTuHUoxck4QKPV
57nHQzckCc2bma8sbC0evo2upxt2XK3yGWB+PQHF1GlkXg1emx/Xmen/7DMoudbR
tcBY1EwCqRfoYT3dieYII9+4NwmZ3OCPHDNx68k8jBatY5EWIMxMUCZv7hRwUPoX
WFC7+kIAheXb/eul6kbIW0olTblXH+jPGUPwh2MSIEXKZTubpQLeZP/fWTuiWao=
—–END CERTIFICATE REQUEST—–

Now provide the CSR to a certificate issuer and wait for the SSL approval message.

Most SSL issuers have service that relies upon the Subscriber or the Subscriber’s authorized administrator to approve all certificate requests for all hosts in the domain. It is important that you will select a correct authorized administrator email. By selecting an authorized administrator, you warrant to the certificate issuer that the individual is authorized to approve the request. The request for SSL server certificate will not be processed beyond this point if you select an incorrect email address.
This part is important and it is a part of the SSL certificate issue process. Its purpose is to avoid someone else to have a certificate issued for your domain.

Be peppered with the following allowed e-mails:
Registered Domain Contacts – This is when the SSL issuer has successfully obtained domain contacts for this domain from the domain registrar. This will be the

Registered Domain Admin contact
Registered Domain Tech contact

Alternate Approval Email Addresses can be used, but you must make sure that such e-mail account has been set up and is available before you provide the CSR, or the approval email will not be delivered.

Level 2 Domain Addresses as bellow are allowed: