I’ve run into a handful of occasions where I’ve had to defer to OpenSSL to generate certificate signing requests (CSR), for signing by certificate authority (CA) like an internal CA server or a 3rd party issuer like Digicert. Sometimes, applications, network gear, containers, or something else you’re working with just don’t have the facilities or UI to pull this off but you need a SSL certificate. In these situations, my go to move is to hop on to a nearby Linux system and generate the private key and subsequent CSR from there. Then I take my CSR to to the CA for getting my signed SSL certificate.
In this post, we’ll get right to it by displaying the steps below. I have added some brief comments to walk through this step by step. I have also added some additional details immediately below so check that out. If you feel that you want to just script this, then scroll way down to see the bash script there.
# Step 1 - Make a new folder for the certificate files, change directory to it
cd /home/username/
mkdir 2026-ssl-cert-renewal-appname
cd 2026-ssl-cert-renewal-appname
# Step 2 - Create a 2048 bit private key
openssl genrsa -out appname.example.com.key 2048
# Step 3 - Restrict key permissions
chmod 600 appname.example.com.key
# Step 4 - Generate the CSR
openssl req -new -key appname.example.com.key -out appname.example.com.csr -sha256 -subj "/C=US/ST=Washington/L=Redmond/O=Org Name/CN=appname.example.com" -addext "subjectAltName=DNS:appname.example.com"
# Step 5 - Before sending to your CA, validate:
# CN = appname.example.com
# Subject Alternative Name includes DNS:appname.example.com
openssl req -in appname.example.com.csr -noout -text
# Step 6 - Send CSR to your CA for processing
Below are some some additional details for each of the above steps.
Step 1
You’re essentially, changing directory cd to your home folder, creating a new folder mkdir to save the private key and CSR in, and the changing directory cd to the new folder you made.
Step 2
You’re generating the private key with openssl, in this case a 2048 bit RSA key.
genrsa: This tells OpenSSL to use its RSA key generation tool. RSA is a commonly used algorithm used for securing web traffic.-out appname.example.com.key: This specifies the destination and name of the file where the private key will be saved. In this case, it writes it to a file namedappname.example.com.keyin your current directory.2048: This defines the key length in bits. 2048-bit is what we’re choosing here.
Step 3
You’re restricting the private key permissions, immediately after creation. Do it, it’s a solid security practice. By default, the private key file may be readable by others depending on their umask. Running chmod 600 ensure that only owner can read the sensitive private key.
Step 4
You’re creating the CSR into the current working directory using openssl.
req -new: Tells OpenSSL that you want to create a new certificate request.-key appname.example.com.key: Points OpenSSL to the private key you generated in the previous step.-out appname.example.com.csr: Specifies the filename for the outputted CSR file. This is the text file you will bring to your CA for signing.-sha256: Forces the request to use the SHA-256 hashing algorithm, to meet modern requirements.-subj "...": Bypasses interactive prompts by passing your organization’s identity details directly in a single line.-addext "subjectAltName=DNS:appname.example.com": Adds the Subject Alternative Name (SAN) extension. This is critical as modern web browsers ignore the Common Name (CN) for security verification and do look at the SAN list. Even if you only have one domain, it must be listed here as a SAN, or browsers will throw a “Not Secure” privacy error.
Step 5
You’re validating that your CSR is in good shape
req: Tells OpenSSL you are working with a Certificate Signing Request tool.-in appname.example.com.csr: Points OpenSSL to the specific CSR file you want to examine.-noout: Suppresses the output of the raw, encoded text blocks (the-----BEGIN CERTIFICATE REQUEST-----clutter). You only want to see the decoded data, not the scrambled cryptographic text.-text: Instructs OpenSSL to print the contents of the CSR in full, human-readable text format.
Want a script that you can bend to your own will? Here’s a good starting point in bash:
# Define your domain variable once
DOMAIN="appname.example.com"
# Create the directory
mkdir -p ~/certs/2026-${DOMAIN}-renewal
cd ~/certs/2026-${DOMAIN}-renewal
# Generate key and restrict permissions
openssl genrsa -out ${DOMAIN}.key 2048
chmod 600 ${DOMAIN}.key
# Generate the CSR using the variable
openssl req -new -key ${DOMAIN}.key -out ${DOMAIN}.csr -sha256 \
-subj "/C=US/ST=Washington/L=Redmond/O=Org Name/CN=${DOMAIN}" \
-addext "subjectAltName=DNS:${DOMAIN}"