You are located in service: Certificates

Generate a new Certificate Signing Request (CSR)

Generate a new Certificate Signing Request (CSR)

This guide shows you how to generate a new certificate signing request using OpenSSL on Windows or Linux/Unix operating systems.

Linux/ Unix

Generate a new RSA key pair (e.g. 4096-bit) with openssl:

openssl genrsa -out private.pem 4096

Read more about recommended keys lengths in the Technischen Richtlinien des BSI, alternatively on "Cryptographic Key Length Recommedation"

Generate a new Certificate Signing Request (CSR) with openssl (interactively):

openssl req -new -key private.pem -out request.pem

Please note the following attributes (detailed information in the Certification Guidelines of the DFN-PKI):

all PKIsCountry NameCDEuse capital letters!
not for the DFN Grid-PKIState or Province NameSTNordrhein-WestfalenNote the exact spelling!
not for the DFN Grid-PKILocality NameLAachenNote the exact spelling!
GÈANT/TCSOrganization NameORWTH Aachen UniversityNote the exact spelling!
DFN-Verein Community PKIOrganization NameORWTH AachenNote the exact spelling!
DFN Grid-PKIOrganization NameOGridGermanyNote the exact spelling!
only for the DFN Grid-PKIOrganisational UnitOURWTH AachenNote the exact spelling!
all PKIsCommon

Name of the server as found in DNS. Other FQDNs may be specified as subjectAlternativeName (SaN).

RFC conformity requires the presence of only one CN.

All further FQDNs must be listed als Subject Alternative Names (subjectAltNames).

You can achieve this with a single OpenSSL command under Unix/Linux:

for the GÈANT/TCS PKIopenssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen University/" -addext ","
for the DFN-Verein Community PKIopenssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/ST=Nordrhein-Westfalen/L=Aachen/O=RWTH Aachen/" -addext ","
for the DFN Grid-PKIopenssl req -new -key private_key.pem -out request.pem -batch -subj "/C=DE/O=GridGermany/OU=RWTH Aachen/" -addext ","
 Windows Nutzer (exemplarisch für die GÈANT/TCS PKI)
csr.conf Datei generieren, folgendes eintragen:
  • prompt = no
  • distinguished_name = req_distinguished_name
  • req_extensions = req_ext
  • [req_distinguished_name]
    • C=DE
    • ST=Nordrhein-Westfalen
    • L=Aachen
    • O=RWTH Aachen University
  • [req_ext]
    • subjectAltName = @alt_names
  • [alt_names]
    • DNS.1 =
    • DNS.2 =

Jetzt den OpenSSL Befehl geben:

openssl req -new -key private.pem -config csr.conf -out request.pem

Further Steps:


last changed on 01/04/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License