How to Generate a CSR on CentOS 8
Enjoying this content? Subscribe to the Channel!
Secure Your Server: The Ultimate Guide to Generating a Certificate Signing Request (CSR) on CentOS 8 (and Linux)
Welcome back to Darren’s Tech Tutorials! If you’re setting up a secure website, an encrypted mail server, or any service requiring an SSL/TLS certificate, you need to start with a Certificate Signing Request—or CSR.
The CSR is the document your server creates that contains essential information about your domain. You send this request to a Certificate Authority (CA), and they use it to generate your actual certificate file.
In this guide, we’re focusing on generating a robust, industry-standard CSR on CentOS 8 using the powerful OpenSSL utility. The great news? This process is essentially the same across nearly all modern Linux distributions! Let’s dive in and secure your server properly.
What is a CSR and Why Do I Need One?
A Certificate Signing Request (CSR) is a block of encoded text that contains your public key and the identifying information (such as your organization name and domain name) associated with your certificate.
When you generate a CSR, your server simultaneously creates two files:
- The CSR file (.csr): This contains the public key and is sent to the Certificate Authority.
- The Private Key file (.key): This file must remain secret and is stored securely on your server. It is used later to decrypt the encrypted traffic that the certificate handles.
We recommend using a 2048-bit RSA key for excellent security, which is exactly what we’ll configure below.
Step 1: Ensure OpenSSL is Installed
OpenSSL is the fundamental command-line tool for handling cryptography and SSL/TLS certificates on Linux. While it is often installed by default, it’s always best practice to ensure you have the latest stable version.
Use the following command to install OpenSSL on your CentOS 8 system:
sudo yum install openssl
If OpenSSL is already installed, the system will notify you, and you can proceed immediately to the next step.
Step 2: Generating Your Private Key and CSR
This is the most critical step. We will use a single, powerful OpenSSL command to generate both the private key and the CSR simultaneously.
We recommend running this command as a non-root user with sudo permissions, but the files will need to be accessible by your web server software (like Apache or Nginx) later.
Here is the full command template:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomainname.key -out yourdomainname.csr
Breaking Down the Command Arguments:
| Argument | Purpose |
|---|---|
openssl req |
Starts the utility specifically for handling Certificate Requests. |
-new |
Signals that a new Certificate Request should be generated. |
-newkey rsa:2048 |
Specifies that a new 2048-bit RSA Private Key should be created. This is the industry standard. |
-nodes |
Stands for “No DES.” This prevents the private key from being encrypted with a passphrase. While using a passphrase is more secure, it means you must enter the password every time the server restarts, which is impractical for most web servers. |
-keyout yourdomainname.key |
Defines the filename for your Private Key. Keep this file secure! |
-out yourdomainname.csr |
Defines the filename for the Certificate Signing Request. This is the file you send to the CA. |
Execution Example
You must replace the placeholder names with your actual domain information. We recommend naming the files clearly for easy identification, for example, darrrenstechtutorials.key and darrrenstechtutorials.csr.
openssl req -new -newkey rsa:2048 -nodes -keyout darrrenstechtutorials.key -out darrrenstechtutorials.csr
Step 3: Providing Your Certificate Information
After executing the command above, OpenSSL will prompt you to enter specific information necessary for the Certificate Authority.
Crucial Tip: You must use accurate, standard abbreviations for Country and State/Province fields.
Here are the prompts you will receive and how to fill them out:
| Prompt | Example Input | Notes |
|---|---|---|
| Country Name (2 letter code) | US | Must be a two-letter ISO country code (e.g., US, UK, CA). |
| State or Province Name (full name) | California | Do not abbreviate. |
| Locality Name (e.g., city) | San Francisco | The full name of the city. |
| Organization Name (e.g., company) | Darren’s Tech Tutorials LLC | The legally registered name of your organization. |
| Organizational Unit Name (e.g., section) | IT Department | Usually a section or department (e.g., Web Services). |
| Common Name (e.g., server FQDN) | www.darrenstechtutorials.com | This is the most important field! It must be the exact Fully Qualified Domain Name (FQDN) you want to secure. If you want to secure mysite.com, use that. If you want www.mysite.com, use that. |
| Email Address | [email protected] | A contact email for the certificate administrator. |
| A challenge password | Leave Blank | DO NOT ENTER A PASSWORD. This is an optional, legacy field. Hitting Enter will skip it. |
| An optional company name | Leave Blank | DO NOT ENTER A COMPANY NAME. Hitting Enter will skip it. |
Once you complete all the prompts, the files will be created in your current working directory.
Step 4: Submitting Your CSR
You now have two files:
yourdomainname.key(Private Key)yourdomainname.csr(Certificate Signing Request)
You will never share the .key file with anyone—keep it secured on your CentOS 8 server.
The .csr file is the one you need to send to your Certificate Authority (CA) (e.g., DigiCert, Sectigo, or Let’s Encrypt). You usually paste the entire text content of this file into a field on their website.
To view the contents of the CSR file, use the cat command:
cat yourdomainname.csr
Copy the entire block of text, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines, and submit it to your provider. They will then process it and issue your final SSL certificate!
Summary and Next Steps
Generating a CSR is the crucial first step toward securing your online services. By using OpenSSL on CentOS 8, you have created a robust, industry-standard request that is ready for submission.
Remember these key takeaways:
- The CSR (.csr) is public and goes to the Certificate Authority.
- The Private Key (.key) is secret and stays securely on your server.
- The Common Name must exactly match the domain you are securing.
We hope this tutorial made the process clear and straightforward! If you found this guide helpful, please be sure to check out the accompanying video on our YouTube channel. Don’t forget to like this post and subscribe to Darren’s Tech Tutorials for more clear, accessible tech guides! Happy securing!