How to generate a CSR with OpenSSL - Rocketeers app

  [ Rocketeers ](/)   

[Login](https://rocketeersapp.com/login) 

 On this page

 Knowledge
---------

How to generate a CSR with OpenSSL
==================================

### [\#Security](https://rocketeersapp.com/knowledge/security)

A CSR (Certificate Signing Request) is the file you send to a certificate authority to request an SSL certificate. Here is how to generate one, and its private key, with openssl.

 Published by [Mark van Eijk](https://rocketeersapp.com/author/mark-van-eijk) on June 23, 2026 · 1 minute read

1. [What a CSR contains](#content-what-a-csr-contains)
2. [Generate a private key and CSR](#content-generate-a-private-key-and-csr)
3. [Generate a CSR with Subject Alternative Names (SAN)](#content-generate-a-csr-with-subject-alternative-names-san)
4. [Generate a CSR from an existing key](#content-generate-a-csr-from-an-existing-key)
5. [Verify the CSR before sending it](#content-verify-the-csr-before-sending-it)

[\#](#content-what-a-csr-contains "Permalink")What a CSR contains
-----------------------------------------------------------------

A Certificate Signing Request bundles the details of the certificate you want — your domain name and organisation info — and your **public** key, all signed by your **private** key. The CA uses it to issue a certificate. The private key it's generated alongside stays with you and is never sent to the CA.

[\#](#content-generate-a-private-key-and-csr "Permalink")Generate a private key and CSR
---------------------------------------------------------------------------------------

This single command creates a new 2048-bit private key and a matching CSR:

 ```
openssl req -new -newkey rsa:2048 -nodes \
  -keyout domain.key -out domain.csr

```

You'll be prompted for the certificate details. The important one is **Common Name** — it must be the exact domain you're securing, for example `www.example.com`.

`-nodes` leaves the private key unencrypted, which is what web servers expect. Two files result:

- `domain.key` — your private key. Keep it safe; you'll need it to install the certificate.
- `domain.csr` — the request to send to your CA.

[\#](#content-generate-a-csr-with-subject-alternative-names-san "Permalink")Generate a CSR with Subject Alternative Names (SAN)
-------------------------------------------------------------------------------------------------------------------------------

Modern certificates should list every hostname under SAN, not just the Common Name. Pass them inline:

 ```
openssl req -new -newkey rsa:2048 -nodes \
  -keyout domain.key -out domain.csr \
  -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

```

[\#](#content-generate-a-csr-from-an-existing-key "Permalink")Generate a CSR from an existing key
-------------------------------------------------------------------------------------------------

If you already have a private key and just need a new request (for a renewal, say):

 ```
openssl req -new -key domain.key -out domain.csr

```

[\#](#content-verify-the-csr-before-sending-it "Permalink")Verify the CSR before sending it
-------------------------------------------------------------------------------------------

Always check the request decodes correctly and lists the right names:

 ```
openssl req -in domain.csr -noout -text

```

Once your CA returns the signed certificate, you may need to [convert it to another format](/convert-ssl-certificate-formats) and make sure you serve the [complete certificate chain](/what-is-an-ssl-certificate-chain). For local development where you don't need a CA at all, generate a [self-signed certificate](/generate-self-signed-certificate-openssl) instead.

### Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!

  Fill in your email address to receive updates  Subscribe 

#### More in [\#Security](https://rocketeersapp.com/knowledge/security)

- [How to extract the certificate from a PFX file](https://rocketeersapp.com/knowledge/extract-certificate-from-pfx-file)
- [How to extract private key from PFX file](https://rocketeersapp.com/knowledge/extract-private-key-from-pfx-file)
- [How to optimize web application security](https://rocketeersapp.com/knowledge/optimize-web-application-security)
- [How to get A+ grade SSL using Cloudflare](https://rocketeersapp.com/knowledge/a-plus-grade-ssl-using-cloudflare)
- [How to setup OpenClaw securely on your own VPS](https://rocketeersapp.com/knowledge/setup-openclaw-vps-securely)
- [What is an SSH key](https://rocketeersapp.com/knowledge/what-is-an-ssh-key)

 [View all 15 articles →](https://rocketeersapp.com/knowledge/security)