How to generate certificate signing requests

📘 If you’re unsure about creating certificates or don’t want to manage them, use Aptible’s Managed TLS option!

A Certificate Signing Request (CSR) file contains information about an SSL / TLS certificate you’d like a Certification Authority (CA) to issue. If you’d like to use a Custom Certificate with your Endpoints, you will need to generate a CSR:

Step 1: You can generate a new CSR using OpenSSL’s openssl req command:

openssl req -newkey rsa:2048 -nodes \
        -keyout "$DOMAIN.key" -out "$DOMAIN.csr"

Step 2: Store the private key (the $DOMAIN.key file) and CSR (the $DOMAIN.csr file) in a secure location, then request a certificate from the CA of your choice.

Step 3: Once your CSR is approved, request an “NGiNX / other” format if the CA asks what certificate format you prefer.

​

Matching Certificates, Private Keys and CSRs

If you are unsure which certificates, private keys, and CSRs match each other, you can compare the hashes of the modulus of each:

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in "$DOMAIN.key" | openssl md5
openssl req -noout -modulus -in "$DOMAIN.csr" | openssl md5

The certificate, private key and CSR are compatible if all three hashes match. You can use diff3 to compare the moduli from all three files at once:

openssl x509 -noout -modulus -in certificate.crt > certificate-mod.txt
openssl rsa -noout -modulus -in "$DOMAIN.key" > private-key-mod.txt
openssl req -noout -modulus -in "$DOMAIN.csr" > csr-mod.txt
diff3 cert-mod.txt privkey-mod.txt csr-mod.txt

If all three files are identical, diff3 will produce no output.

📘 You can reuse a private key and CSR when renewing an SSL / TLS certificate, but from a security perspective, it’s often a better idea to generate a new key and CSR when renewing.