How to create a CSR using OpenSSL

Creating a certificate signing request with OpenSSL prepares the public request that a certificate authority or internal PKI team needs before issuing a certificate. The private key stays on the server or workstation, while the CSR carries the subject, public key, and requested names that should appear in the final certificate.

The openssl req command creates and inspects PKCS#10 certificate requests. For a normal TLS server request, openssl req -new signs the request with an existing private key, -subj supplies the subject distinguished name, and -addext adds requested X.509 extensions such as subjectAltName.

Modern TLS clients check Subject Alternative Name values rather than relying on the common name alone. Put every DNS name or IP address that clients must trust into the SAN extension, keep the private key out of tickets and CA portals, and inspect the completed CSR before submission because the issuer may still adjust, ignore, or reject requested extensions.

Related: How to generate a private key using OpenSSL
Related: How to sign a CSR with a local CA using OpenSSL

Steps to create a CSR using OpenSSL:

  1. Decide the exact subject and Subject Alternative Name entries required for the certificate.

    Use DNS: entries for hostnames such as www.example.com and IP: entries for literal IP addresses. A common name by itself is not enough for ordinary modern TLS server certificates.

  2. Check that OpenSSL can read the private key that will sign the request. 
    $ openssl pkey -in www.example.com.key -noout -check
Key is valid

    Related: How to generate a private key using OpenSSL

  3. Create the CSR with the existing private key, subject, and SAN list. 
    $ openssl req -new -key www.example.com.key -out www.example.com.csr \
  -subj "/C=US/ST=New York/L=New York/O=Example Corp/CN=www.example.com" \
  -addext "subjectAltName = DNS:www.example.com,DNS:example.com"

    Submit the www.example.com.csr file to the issuer. Do not send www.example.com.key or paste the private key into a certificate request form.

  4. Verify the CSR self-signature and subject before sending it. 
    $ openssl req -in www.example.com.csr -noout -subject -verify
Certificate request self-signature verify OK
subject=C=US, ST=New York, L=New York, O=Example Corp, CN=www.example.com

    Self-signature verification confirms the CSR was signed with the private key that matches the embedded public key. It does not prove domain control, requester authorization, or CA approval.

  5. Inspect the requested extensions and signature details. 
    $ openssl req -in www.example.com.csr -noout -text
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C=US, ST=New York, L=New York, O=Example Corp, CN=www.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name:
                    DNS:www.example.com, DNS:example.com
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
##### snipped #####

    Tool: Certificate Signing Request (CSR) Decoder