Run the following command (where key_name.key is the name of the
unique key that you are creating and csr_name.csr is
the name of your
$ openssl req -new -nodes -newkey rsa:2048 -keyout key_name.key -out csr_name.csr
After entering the command, you are prompted to enter several pieces of
information, which are the certificate's X.509 attributes.
The Common Name
field must be filled in with the
fully qualified domain name of the server to be protected by SSL. If you are
generating a certificate for an organization outside of the US
for a list
of 2-letter, ISO country codes.
Generating a 1024 bit RSA private key
writing new private key to 'my_key_name.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code
State or Province Name (full name) [Some-State]:Your_State_Province_or_County
Locality Name (eg, city) :Your_City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company
Organizational Unit Name (eg, section) :Your_Department
Common Name (i.e., your server's hostname) :secure.yourwebsite.com
Email Address :firstname.lastname@example.org
are prompted to enter "extra" attributes, including an optional challenge
password. Manually entering a challenge password when starting the server
can be problematic in some situations (for example, when starting the server
from the system boot scripts). You can skip entering values for any extra
attribute by hitting the "enter"
Enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
finalizing the attributes, the private key and CSR will be saved to your
Important: If you make a mistake when
running the OpenSSL command, you may discard the generated files and run the
command again. After successfully generating your key and Certificate
Signing Request, be sure to guard your private key, as it cannot be