CSR (Certificate Signing Request) is a file with your public key and organisation data that you send to a CA to obtain an SSL certificate. Generated with openssl, requires: private key, Common Name (CN = domain), SAN for multi-domain. Let's Encrypt does not need a CSR — it uses ACME.
Below: step-by-step, working examples, common pitfalls, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
openssl versionopenssl genrsa -out privkey.pem 2048openssl req -new -key privkey.pem -out request.csrrequest.csr to the CA (DigiCert, Sectigo, GeoTrust)| Scenario | Config / Record |
|---|---|
| Minimal CSR (one line) | openssl req -new -newkey rsa:2048 -nodes -keyout privkey.pem -out request.csr -subj "/C=US/ST=CA/O=Acme/CN=example.com" |
| CSR with Subject Alternative Names (SAN) | openssl req -new -key privkey.pem -out request.csr -config san.cnf |
| san.cnf for multi-domain | [req]
distinguished_name = req_dn
req_extensions = v3_req
[req_dn]
CN = example.com
[v3_req]
subjectAltName = DNS:example.com,DNS:www.example.com,DNS:api.example.com |
| Inspect CSR | openssl req -text -noout -in request.csr |
| Wildcard cert | CN = *.example.com + SAN = *.example.com, example.com |
-aes256) — nginx prompts at restart. Use -nodes.To generate a Certificate Signing Request (CSR) in 2026, use the openssl command-line tool. Execute openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr to create a CSR and its associated private key. Ensure you provide accurate information such as your domain name and organizational details during the process, which is crucial for SSL certificate issuance.
A Certificate Signing Request (CSR) is a block of encoded text that contains information about your website and your organization. It is submitted to a Certificate Authority (CA) to obtain an SSL certificate. Generating a CSR is a critical step in securing your website and establishing trust with your visitors.
Before you begin generating a CSR, ensure you have the following:
To generate a CSR, follow these steps using the OpenSSL command-line tool:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr This command performs the following actions:
-new: Indicates that you want to create a new CSR.-newkey rsa:2048: Generates a new RSA private key of 2048 bits.-nodes: Specifies that the private key should not be encrypted.-keyout: Defines the filename for the private key.-out: Specifies the filename for the CSR.After running the command, you will be prompted to provide several pieces of information:
For instance, if you are generating a CSR for example.com, you would run:
openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr Upon execution, you would fill in the prompts with:
Once you have generated your CSR, it’s essential to verify its content to ensure accuracy. You can do this using the following command:
openssl req -in example.com.csr -noout -text This command will display the details of the CSR, allowing you to check that all information is correct before submission to the CA.
To ensure your CSR is generated correctly and securely, follow these best practices:
By following these guidelines, you can successfully generate a CSR that meets the requirements of most Certificate Authorities and helps secure your website.
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Full chain verification: from leaf certificate through intermediates to root CA.
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
SSL certificate monitoring
TLS config audit
HTTPS as ranking factor
customer trust
www and subdomains.Strict-Transport-Security header forces browsers to always use HTTPS.SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeNo. Let's Encrypt uses the ACME protocol — certbot generates the key and CSR automatically. Just run <code>certbot --nginx -d example.com</code>.
Subject Alternative Names — an X.509 extension that lets one cert cover multiple domains. Modern browsers ignore CN in favor of SAN. Always include the domain in SAN.
DV (Domain Validation) — only ownership check (Let's Encrypt). OV (Organization Validation) — + legal entity verification. EV (Extended Validation) — + in-depth review, green address bar (deprecated in browsers 2019+).
Yes, you can reuse the same CSR (same key) on renewal. Rotating the key is the safer practice.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.