Skip to main content

How to Create a Certificate Signing Request (CSR)

This page describes how to create a certificate signing request (CSR) suitable for submission to Stanford's certificate vendor. If you want to create a self-signed certificate, see the How to Create a Self-Signed certificate page. The process described below will result in two files: a private key file and certificate signing request (CSR) file. (Note: the commands described below have been tested only on a Linux server.)

  1. The requester must be listed as a user, administrator, or administrative group member in the host name's NetDB record. See Requirements.
  2. Run the  following command to generate the private key (which you must keep secret) and the certificate signing request (CSR): 
    openssl req -new -nodes -newkey rsa:2048 -keyout private.key -out public.csr
  3. When you run the above command you will  need to supply some parameters for the certificate's subject. The most important of these is the "Common Name" which is the name of your service, e.g., "www.stanford.edu", "axess.stanford.edu". Here are the suggested answers:
    Country Name (2 letter code) [AU]: US
    State or Province Name (full name) [Some-State]: California
    Locality Name (eg, city) []: Stanford
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: Stanford University
    Organizational Unit Name (eg, section) []: <your organization's name>
    Common Name (e.g. server FQDN or YOUR name) []: myservice.stanford.edu (or whatever your service is called)
    Email Address []: <leave blank>
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []: <leave blank>
    An optional company name []: <leave blank>
    
  4. If you are requesting a free certificate from Stanford's certificate vendor, take the csr file public.csr and submit it at certificate.stanford.edu.
  5. Do not lose the private key (private.key); once you have the certificate you will need both the certificate and the private key file to properly secure your application.
  6. You should keep the CSR file: it is useful in case you want to renew the certificate without changing your private key.
Last modified