Generate your own CSR

Published on 2022-09-21

It is 2022, and not everyone is using Let's Encrypt. So occasionally one needs to generate a CSR for use on a web server.

Unfortunately, in 2022, it is still not obvious how to do this using EC. The examples are mostly for RSA. So, once and for all I am documenting this here. Hopefully it is safe, and sufficient. We assume that the CA will fill the subjectAltName.

Save the following as generate_csr.sh:

#!/bin/sh

# generate private key
openssl ecparam \
	-genkey \
	-name secp384r1 \
	-out "${WEB_FQDN}.key"

# generate CSR
openssl req \
	-new \
	-subj "/CN=${WEB_FQDN}" \
	-sha384 \
	-key "${WEB_FQDN}.key" \
	-out "${WEB_FQDN}.csr"

# print CSR
openssl req \
	-in "${WEB_FQDN}.csr" \
	-text

You can use it like this:

$ WEB_FQDN=www.example.org sh ./generate_csr.sh

It writes the private key and the CSR to file, and at the same time outputs the CSR both in PEM and in "human" readable form.

History

Point your feed reader to the RSS Feed to keep up to date with new posts.