3.3. Creating a CSR

From the key pair, we create a "Certificate Signing Request" (CSR) to send off to our chosen CA. The CSR contains the server's public key, and the other details that are to be included in your certificate, the whole thing signed by the server's private key.

The various strange field names, "Organization Unit Name", "Common Name", etc., are an inheritance from X.500. It does not normally matter greatly what you supply for each component, though your chosen CA may decline to sign your certificate if what you supply is wrong or not what they expect. However the component called "Common name" must match exactly the host name of your server, otherwise browsers will complain. For a host with several names (www.department.cam.ac.uk/nymph.department.cam.ac.uk) this should be whatever is going to appear in the URLs actually used to access the secure server.

$ openssl req -new -key WWW.key -out WWW.csr
Enter pass phrase for WWW.key: password
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) []:Cambridge
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Cambridge
Organizational Unit Name (eg, section) []:Computing Service
Common Name (eg, your name or your server's hostname) []:clt1.csi.cam.ac.uk
Email Address []:jw35@cam.ac.uk

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 

Arguments used


used when creating a new CSR, rather than processing an existing one


the name of the file containing the key pair


name of the file to receive the CSR