DocsICP FilingConsole
官方文档
首页

How do I create a CSR file?

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic explains how to generate a Certificate Signing Request (CSR) file using OpenSSL or Keytool before applying for an SSL certificate.

Before you begin

To apply for an SSL certificate, you need a private key file and a CSR file. The CSR file contains your public key and organizational information, which the certificate authority (CA) uses for validation.

SSL Certificates Service supports two tools for generating a CSR file:

Tool

Best for

OpenSSL

Linux/macOS servers and standard RSA key generation

Keytool

Java-based servers (Tomcat) and environments that require Chinese character input

Requirements for the CSR file:

  • The key must be RSA type, 2,048 bits in length.

  • For a multi-domain or wildcard certificate, specify a single domain name in the Common Name field (or What is your first and last name? in Keytool).

  • If you enter Chinese characters, encode them in UTF-8. Keytool handles this natively; OpenSSL requires UTF-8 support to be configured.

Use the system-generated CSR in SSL Certificates Service when possible to avoid validation failures caused by incorrectly formatted input. For more information about how to address a validation failure, see The "Primary domain name cannot be empty" error is returned when I upload my CSR file. What do I do?. If you generate a CSR manually, keep the private key confidential and back it up immediately.

Note

Note: To enter Chinese information, use Keytool rather than OpenSSL.

Generate a CSR file

Use OpenSSL to generate a CSR file

  1. Log in to your server and navigate to the directory where you want to store the key and CSR files.

  2. Install OpenSSL if it is not already installed. For installation instructions, see the OpenSSL website.

  3. Run the following command to generate a private key and CSR file simultaneously:

    openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout [$Key_File] -out [$OpenSSL_CSR]
    Note

    Note: The command parameters are described as follows:

    Parameter

    Description

    -new

    Generates a new CSR file

    -nodes

    Creates an unencrypted private key file

    -sha256

    Uses SHA-256 as the digest algorithm

    -newkey rsa:2048

    Generates a new 2,048-bit RSA private key

    [$Key_File]

    The filename for the private key

    [$OpenSSL_CSR]

    The path where the CSR file is saved

    The following output is returned.

  4. Enter the required information when prompted:

    Field

    Description

    Organization Name

    Your company name (Chinese or English)

    Organizational Unit Name

    Your department name (Chinese or English)

    Country Code

    The two-letter ISO country code of your organization. For example, CN for China.

    State or Province

    The state or province name (Chinese or English)

    Locality

    The city name (Chinese or English)

    Common Name

    The domain name for which you are applying for the certificate

    Email Address

    Optional

    A challenge password

    Optional

  5. Retrieve the generated private key file and CSR file from the current directory.

Use Keytool to generate a CSR file

  1. Log in to your server and navigate to the directory where you want to store the keystore and CSR files.

  2. Verify that Keytool is available. Keytool is included in the Java Development Kit (JDK).

    Note

    Note: In most cases, Keytool is installed with the JDK. Run keytool -help to confirm.

  3. Run the following command to generate a keystore file:

    keytool -genkey -alias [$Alias] -keyalg RSA -keysize 2048 -keystore [$Keytool_Path]
    Note

    Note: The command parameters are described as follows:

    Parameter

    Description

    -keyalg

    The key type. Must be RSA.

    -keysize

    The key length. Must be 2048.

    [$Alias]

    A custom alias for the certificate. Use the same alias in all subsequent Keytool commands for this certificate.

    [$Keytool_Path]

    The path where the keystore file is saved

  4. Enter a password to protect the keystore when prompted. Store this password securely — you need it to access the private key and to generate the CSR in a later step.

  5. Enter the required information when prompted:

    Field

    Description

    First and last name

    The domain name for which you are applying for the certificate

    Name of your organizational unit

    Your department name

    Name of your organization

    Your company name

    Name of your city or locality

    Your city name

    Name of your state or province

    Your state or province name

    Two-letter country code for this unit

    The two-letter ISO country code of your organization

  6. Confirm the input by entering Y.

  7. Enter the key password when prompted. Press Enter to use the same password as the keystore.

  8. Run the following command to export a CSR file from the keystore:

    keytool -certreq -sigalg SHA256withRSA -alias [$Alias] -keystore [$Keytool_Path] -file [$Keytool_CSR]
    Note

    Note: The command parameters are described as follows:

    Parameter

    Description

    -sigalg SHA256withRSA

    The digest algorithm for the CSR signature

    [$Alias]

    Must match the alias used when the keystore was created

    [$Keytool_Path]

    The path to the keystore file

    [$Keytool_CSR]

    The path where the CSR file is saved

  9. Enter the keystore password when prompted to confirm and finalize CSR generation.

Application scope

  • SSL Certificates Service