SSL certificate and certificate signing requests have been causing me some trouble over the last few days; and as I have it all sorted, but will need to do it all again in a year's time: here's the process I used.

I'm just looking to generate a certificate for a single subdomain at a time, from the linux command line for use on a server (actually a Digital Ocean droplet), where I have root access. This means I can generate private keys locally, and not have them leave the server where they're generated and used.

For SSL you're looking to make three files:

  • A private key that your server will use to make the https connections This should not be disclosed.

  • A certificate signing request csr that you generate from the key and send to the ssl certificate provider. This includes the public form of the private key.

  • A certificate crt back from the ssl certificate provider that will respond with. This is used by the server to 'prove' that the private key comes from the entity that it claims to.

First up, generate the certificate:

openssl genrsa -out 2048

This will generate a 2048 bit key (you could choose 4096) named Using the domain name of the server you're generating keys for will make this easier when you come back at a later date, or when you have several CSRs that you're sending out!

I've created a private key without a password, so the server can read the key on restart without any outside interaction.

Next create the certificate signing request (CSR):

openssl req -new -key -out

This gives you a new file, that you can send to your SSL certificate provider for them to sign. Your private key that was generated before doesn't go anywhere, but the .csr can be safely sent out.

As part of generating the CSR, you'll need to fill in your personal/company details that the certificate will be verified against. While you don't have to fill in all of these, I filled in the first 7.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

One of the problems I had was a continued refusal of the CSR I was generating by the SSL provider. It turns out that it was all to do with the Country Name I'd supplied. I was using UK instead of the ISO 2-letter country code of the UK, which is GB. Setting this to GB sorted everything out for me.

If it all goes well, you'll have a CSR that you can send to your chosed SSL provider, and they will send a crt certificate in response. They may require you to also include an intermediate certificate with the one you receive. This can be concatenated onto the end of the certificate so your server will only need a single file.


It's also possible to self sign a certificate for use immediately. It won't be suitable for use publicly because every visitor will get a warning that the certificate has been signed by an entity that their browser doesn't trust, but it might be useful if you want to test straight away, or you don't need to provide public access.

To generate a self-signed certificate:

openssl x509 -req -days 365 -in -signkey -out