François' Blog

Generate your own CSR

Published on 2022-09-21

It is 2022, and not everyone is using Let’s Encrypt. So occasionally one needs to generate a CSR for use on a web server.

Unfortunately, in 2022, it is still not obvious how to do this using EC. The examples are mostly for RSA. So, once and for all I am documenting this here. Hopefully it is safe, and sufficient. We assume that the CA will fill the subjectAltName.

Save the following as generate_csr.sh:

#!/bin/sh

# generate private key
openssl ecparam \
	-genkey \
	-name secp384r1 \
	-out "${WEB_FQDN}.key"

# generate CSR
openssl req \
	-new \
	-subj "/CN=${WEB_FQDN}" \
	-sha384 \
	-key "${WEB_FQDN}.key" \
	-out "${WEB_FQDN}.csr"

# print CSR
openssl req \
	-in "${WEB_FQDN}.csr" \
	-text

You can use it like this:

$ WEB_FQDN=www.example.org sh ./generate_csr.sh

It writes the private key and the CSR to file, and at the same time outputs the CSR both in PEM and in “human” readable form.

History