IT Center Help

You are located in service: Public Key Certificates

Generate a CSR with OpenSSL

guide

On this page, you will learn how to generate a new certificate signing request (CSR) using OpenSSL.

Generate a CSR with a new RSA key pair

Linux/Unix

Step 1
Generate a new RSA key pair (e.g. 4096-bit) with openssl. In this case, the key is generated without a password (not recommended!).

openssl genrsa -out private.pem 4096

Better alternative for generating a key with a password:

openssl genrsa -aes128 -passout pass:<passwordgoeshere> -out private.pem 4096

Technischen Richtlinien des BSI and Cryptographic Key Length Recommedation provide more information on recommended keys lengths.

Schritt 2
Generate a new CSR with openssl (interactively):

openssl req -new -key private.pem -out request.pem

Please note the following attributes for the respective PKI. Use the exact spelling!

PKI	Attribut	Kürzel	Beispiele
all PKIs	Country Name	C	DE
not for DFN Grid-PKI	State or Province Name	ST	Nordrhein-Westfalen
not for DFN Grid-PKI not for Harica	Locality Name	L	Aachen
Sectigo/Harica	Organization Name	O	RWTH Aachen University
DFN-Verein Community PKI	Organization Name	O	RWTH Aachen
DFN Grid-PKI	Organization Name	O	GridGermany
only for DFN Grid-PKI	Organizational Unit	OU	RWTH Aachen
all PKIs	Common Name	CN	www.rz.rwth-aachen.de pop3.test.rwth-aachen.de

RFC conformity requires the presence of only one CN. All further FQDNs must be listed als Subject Alternative Names (subjectAltNames). You can achieve this with a single OpenSSL command under Unix/Linux:

for Harica PKI

openssl req -new -utf8 -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/O=RWTH Aachen University/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de"

for Sectigo PKI

openssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen University/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de"

for DFN-Verein Community PKI

openssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de"

for DFN Grid-PKI

openssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/O=GridGermany/OU=RWTH Aachen/CN=fqdn1.domain.rwth-aachen.de" -addext "subjectAltName=DNS:fqdn1.domain.rwth-aachen.de,DNS:fqdn2.domain.rwth-aachen.de"

Windows

Schritt 1
Create a csr.conf with the following information: (an example for Sectigo PKI):

prompt = no
distinguished_name = req_distinguished_name
req_extensions = req_ext
[req_distinguished_name]
- C=DE
- ST=Nordrhein-Westfalen
- L=Aachen
- O=RWTH Aachen University
- CN=name1.domain.rwth-aachen.de
[req_ext]
- subjectAltName = @alt_names
[alt_names]
- DNS.1 = name1.domain.rwth-aachen.de
- DNS.2 = name2.domain.rwth-aachen.de

Schritt 2
Enter the OpenSSL command:

openssl req -new -key private.pem -config csr.conf -out request.pem

Generate a CSR with an existing RSA key pair

It is not recommended (good practice) to reuse an RSA key pair.

If for technical reasons you need to do so (e.g. Key Pinning), then you generate a new Certificate Signing Request CSR (new_request.pem) based on the existing Certificate (cert.crt) and the associated private key file (private.pem), as follows:

openssl x509 -x509toreq -in cert.crt -signkey private.pem -out new_request.pem

Output the generated CSR in plain text:

openssl req -noout -text -in new_request.pem

Next steps:

last changed on 02/26/2026

This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License