Generate CSR for Apache modSSL

Solution ID:    SO2614    Updated:    09/03/2014


Generate CSR for Apache modSSL
How do I generate a csr on Apache


Watch Thawte’s Tutorial Videos for a more visual experience!

Note:  If you are unable to view the video, please click here to go directly to the video source.

To generate the CSR and private key in Apache modSSL, follow the instructions below:

The utility "openssl" is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to adjust these instructions appropriately.

First you have to know the Fully Qualified Domain Name (FQDN) of the website for which you want to request a certificate. When you want to access your website through then the FQDN of your website is; therefore, your common name will be

Generate the Key with the following command:

NOTE: A key length of 1024 bit is the default, but Thawte recommends the use of a 2048 bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048 bit key length will need to be selected.

$ openssl genrsa -des3 -out 2048

This command will generate 2048 bit RSA Private Key and stores it in the file

It will ask you for a pass phrase: use something secure and remember it. Your certificate will be useless without the key. If you don't want to protect your key with a pass phrase (only if you absolutely trust that server machine, and you make sure the permissions are carefully set so only you can read that key) you can leave out the -des3 option above. Also leave out -des3 option if you are running Apache on Windows as it does not work on Windows.

Backup your file and make a note of the pass phrase. A good choice is to backup this information onto a diskette or other removeable media.

Note:  If you are attempting to request an Extended Validation certificate, ensure that 2048 is selected as your key-bit length.

Generate the CSR with the following command:
$ openssl req -new -key -out

This command will prompt you for the X.509 attributes of your certificate. Remember to give the name when prompted for 'Common Name (eg,'.

Do not enter your personal name here. We are requesting a certificate for a webserver, so the Common Name has to match the FQDN of your website (a requirement of the browsers). Leave the Email Address blank and hit the return key.

You will now have a RSA Private Key in and a Certificate Signing Request in

The file is your secret key, and must be installed as per the instructions that will come when your certificate is issued. The file is your CSR, and the important bit looks something like this:




The CSR in is what you now paste into the appropriate online order form.

Please take a note of the format above.

Please Note: Generating the private key with the passphrase will mean that the same passphrase will need to be entered after restarting the server.

In order to allow your mod_ssl-secured Apache server work with our certificates we recommend you to use the latest versions of Apache, mod_ssl and OpenSSL.

The distribution tarballs can be found at the following locations:

 Detailed installation instructions can be found in the INSTALL files in all three packages.

The utility (openssl) that you use to generate the RSA Private Key (Key) and the Certificate Signing Request (CSR) comes with Openssl and is usually installed under the directory SSL_BASE/bin where SSL_BASE is the path you specified for building Apache+mod_ssl either with the

--with-openssl option or the SSL_BASE variable.  

Legacy ID


Knowledge Center

Search Tips