知識庫

在 Apache + OpenSSL/ModSSL/Nginx + Heroku 產生 CSR

To activate an SSL certificate you need to submit a CSR (Certificate Signing Request) on our site. CSR is a block of code with encrypted information about your company and domain name. Usually CSR openssl configuration contains by default the details as follows below:

  • Common Name (the domain name certificate should be issued for)
  • Country (two-letter code)
  • State (or province)
  • Locality (or city)
  • Organization
  • Organizational Unit (Department)
  • E-mail address

It's usually openssl that is used for CSR generation on Apache or Nginx web servers. It's included by default in web servers' properties. So if you have a web server installed, you will hardly need to install openssl additionally.

To generate a CSR run the command below in terminal:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

We recommend you replace 'server' with the domain name the certificate will be issued for to avoid further confusion.

The command starts the process of CSR and Private Key generation. The Private Key will be required for certificate installation.

You will be prompted to fill in the information about your Company and domain name.

It is strongly recommended to fill all the required fields in. If a field is left blank, the CSR can be rejected during activation. For certificates with domain validation it is not mandatory to specify 'Organization' and 'Organization Unit' -you may fill the fields with 'NA' instead. In the Common Name field you need to enter the domain name the certificate should be issued for.

Please use only symbols of English alphanumeric alphabet. Otherwise the CSR can be rejected by a Certificate Authority.

If the certificate should be issued for a specific subdomain, you need to specify the subdomain in 'Common Name'. For example 'sub1.ssl-certificate-host.com'.

In case of Wildcard certificates, the domain name should start with an asterisk as in '*.ssl-certificate-host.com'

Once all the requested information is filled in, you should have *.csr and *.key files in the folder where the command has been run.

NOTE: To generate the CSR code with the "Street address" value included, add the 'Subject' ('-subj') tool with the corresponding data to the command as follows:


openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=HK/ST=Hong Kong/L=Hong Kong/O=My Company Ltd./OU=IT/CN=zbtest.tube/Street=Example Road 1"

*.csr file contains the CSR code that you need to submit during certificate activation. It can be opened with a text editor. Usually it looks like a block of code with a header: '-----BEGIN CERTIFICATE REQUEST----' It is recommended to submit a CSR with the header and footer.

*.key file is the Private Key, which will be used for decryption during SSL/TLS session establishment between a server and a client. It has such a header: '-----BEGIN RSA PRIVATE KEY-----'. Please make sure that the private key is saved as it will be impossible to install the certificate without it on the server afterwards.