How to Generate Your CSR (SSL Certificate Signing Request)¶
This page explains the purpose of CSRs (Certificate Signing Requests), and the process for generating one. If an SSL certificate is generated automatically for use on Gandi Web Hosting, we will generate the CSR for you automatically. For all others you will generate your own CSR.
What is a CSR?¶
A CSR, or Certificate Signing Request, is an encrypted text block that uniquely specifies who you are, and the domain name (and subdomains) that you want to use for the certificate. You will enter your identifying data into specific software, and the software will use your data to generate an encrypted CSR.
If you are requesting a certificate that you will use on Gandi hosting, we can automatically generate this CSR for you. Otherwise, you will need to do this yourself before you can complete your SSL certificate order. After you have generated your CSR, you will copy and paste the CSR you create into a form on our website as part of the SSL ordering process.
After you generate the CSR and provide it to us, we will pass it on to Sectigo, the certificate authority that authorizes our certificates. They will then perform the necessary checks and return a signed certificate which you can then install on your server. Visitors who visit your website will then be able to rely on Sectigo’s authority that you are indeed the entity you claim to be.
How to Generate the CSR¶
What You Need¶
To generate the CSR you will need access to a unix terminal on a machine with OpenSSL, or an equivalent, installed. You do not need to use the machine where you will install the certificate to generate the CSR.
Some options may be:
Your regular computer, if you use Linux or OSx
A Gandi cloud server
A Gandi web hosting (even if you intend to use the certificate outside of Gandi)
An accessible production server running on Linux or Unix
A Windows computer with OpenSSL for Windows installed
Determine the Common Name¶
As part of the CSR generation process you will be asked for the common name. The common name is the domain name you wish to secure with your certificate. You can read more on our page explaining the common name.
Running the Command¶
To generate the CSR you can copy and paste this command into a terminal on any of the computers described above:
openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr -utf8
Some elements of this command are explained in the following list. You can learn more about this OpenSSL command in their documentation,
-newkey rsa:2048 - Generates a CSR request and a private key using RSA with 2048 bits. If you use the certificate with our Web Hosting offer, your key can only be 2048 bits.
sha256 - Use the SHA-2, SHA256 hash algorithm. Due to the deprecation of the SHA1 certificates, our partner, Sectigo, will automatically deliver a SHA2 certificate.
-keyout myserver.key: Save the private key in the file “myserver.key” in the folder where the command was executed.
-out server.csr: Save the CSR in the file “server.csr” in the folder where the command was executed.
-utf8: This option causes field values to be interpreted as UTF8 strings. Used also for IDN domains.
After you run the command you will be prompted to enter your identification data. This is the data that will be verified by the Certificate Authority when they authorize your SSL certificate. This information includes:
Country name: Provide the two letter code of your country.
State or Province Name: Write out the name of your state or province; do not use an abbreviation.
Locality Name: Provide the name of your city or town.
Organization Name: Provide the name of your organization, such as the name of your business. This field is optional for Standard certificates<standard_certificates, but for Pro and Business certificates, the organization name is mandatory.
Organization Unit Name: Provide the name of your organization unit within your company, such as the IT department.
Common Name: Provide the domain name you are wanting to secure. For more details see the previous section on this page.
Email Address: Provide your email address. The email address is not mandatory, but is recommended.
A challenge password: This is a rarely used and optional feature. We recommend you leave this blank.
An optional company name: We also recommend leaving this option blank.
Once you are finished executing this command, you will have two files: a public .csr file, and a private .key file that absolutely must be kept secret. The private key is generated at the same time as your csr, and will be stored on your computer or server. Only you, therefore, have access to that file, which ends in ”.key”
Opening and Copying the CSR¶
After you have generated the CSR you will be able to copy and paste it when prompted during your SSL order at Gandi. You can open the file by right clicking on the .csr file and choosing to open it with a text editor. Then, copy and paste the entire contents of the CSR including the parts
"-----BEGIN CERTIFICATE REQUEST-----" and
"-----END CERTIFICATE REQUEST-----".
The .csr file contains the CSR while the .key file contains the private key. The two are not interchangeable and it is important to use the correct file when submitting your request.