Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2016-07-05 15:46:21.0

How is a Certificate Signing Request (CSR) generated for Apache HTTP Server using OpenSSL

Article Number: 46326


How is a Certificate Signing Request (CSR) generated for Apache HTTP Server using OpenSSL?




The process below will guide you through the steps of creating a Private Key and CSR


IMPORTANT: The private key is not to be shared by anyone, sharing of the private key is against best practice. If you require to share the private key it is best to transfer in a secure manner and not through open communication such as unencrypted email. DO NOT provide Entrust with the private key.


Launch the OS Terminal or Command Prompt:

For SHA-1 signing algorithm:

Type the following command: openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

For SHA-2 signing algorithm:

Type the following command: openssl req -new -newkey rsa:2048 –sha256 -nodes -keyout server.key -out server.csr


PLEASE NOTE: Replace "server.key" and "server.csr" with your own values 


    Once prompted for a "Common Name" enter the Fully Qualified Domain Name (FQDN) that you wish to secure in the certificate


      For Wildcard: If you are going to be requesting a Wildcard Certificate you will need to place an asterisk * in front of the domain (e.g. *.entrust.com)


        You will also be prompted for the following information:







          Business Location - Country




          Business Location - State/Province




          Business Location - City


          Organization Unit


          Organization Unit if required to be listed*




          Organization’s legal business name

          Entrust Inc.

          Common Name


          Domain to be secured by certificate


          PLEASE NOTE: Do not use a Challenge Password
          * If you require an Organization Unit, the value you place will be required to pass verification. If the OU is considered misleading or a registered trademark to a different legal entity it will be removed from certificate that is issued and show up with no value.

          Command Output Sample:

          [User@localhost ~]$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

          Generating a 2048 bit RSA private key



          writing new private key to 'server.key'


          You are about to be asked to enter information that will be incorporated

          into your certificate request.

          What you are about to enter is what is called a Distinguished Name or a DN.

          There are quite a few fields but you can leave some blank

          For some fields there will be a default value,

          If you enter '.', the field will be left blank.


          Country Name (2 letter code) [XX]:CA

          State or Province Name (full name) []:Ontario

          Locality Name (eg, city) [Default City]:Ottawa

          Organization Name (eg, company) [Default Company Ltd]:Entrust Inc.

          Organizational Unit Name (eg, section) []:

          Common Name (eg, your name or your server's hostname) []:www.entrust.com

          Email Address []:


          Please enter the following 'extra' attributes

          to be sent with your certificate request

          A challenge password []:

          An optional company name []:



          You will now have a Private Key and CSR, the CSR contents are used to submit the request to Entrust to issue the certificate. You can view the contents of the CSR by opening the file within a basic text editor, to confirm the information is correct use the Entrust CSR viewer to parse the information within the CSR: http://www.entrust.net/ssl-technical/csr-viewer.cfm



            Affected Products:

            • Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable