What is a CSR and how do I generate one for an SSL/TLS certificate?

A CSR, or Certificate Signing Request, is a message you generate with information about the SSL/TLS certificate you want your SSL/TLS certificate provider to issue.

Using OpenSSL, the req command can generate a new private key and CSR:

1
openssl req -newkey rsa:2048 -nodes -keyout [YOUR_DOMAIN].key -out [YOUR_DOMAIN].csr

Store the private key and CSR in a secure location. If your certificate provider asks what certificate format you prefer, request an “NGiNX/other” format.

If you are unsure which certificates, private keys, and CSRs match each other, you can compare the hashes of the modulus of each:

1
2
3
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in [YOUR_DOMAIN].key | openssl md5
openssl req -noout -modulus -in [YOUR_DOMAIN].csr | openssl md5

Although you can reuse a private key and CSR when renewing an SSL/TLS certificate, we recommend generating a new key.