Generate your own CSR
Published on 2022-09-21
It is 2022, and not everyone is using Let's Encrypt. So occasionally one needs to generate a CSR for use on a web server.
Unfortunately, in 2022, it is still not obvious how to do this using EC. The
examples are mostly for RSA. So, once and for all I am documenting this here.
Hopefully it is safe, and sufficient. We assume that the CA will fill the
subjectAltName.
Save the following as generate_csr.sh:
#!/bin/sh
# generate private key
openssl ecparam \
-genkey \
-name secp384r1 \
-out "${WEB_FQDN}.key"
# generate CSR
openssl req \
-new \
-subj "/CN=${WEB_FQDN}" \
-sha384 \
-key "${WEB_FQDN}.key" \
-out "${WEB_FQDN}.csr"
# print CSR
openssl req \
-in "${WEB_FQDN}.csr" \
-text
You can use it like this:
$ WEB_FQDN=www.example.org sh ./generate_csr.sh
It writes the private key and the CSR to file, and at the same time outputs the CSR both in PEM and in "human" readable form.