During SSL setup, if you’re on a Windows-based system, there may be times when you need to generate your Certificate Signing Request (CSR) and Private key outside the Windows keystore. This may be useful, for example, if you want to backup your SSL Certificate or import it to multiple servers. Here are the steps you’ll take to generate a CSR using the OpenSSL application tool:
1.1. Click Here and navigate to the Third Party OpenSSL Related Binary Distributions table.
1.2. Select one of the OpenSSL for Windows options by choosing the Description that applies to you.
1.3. You’ll find a download section like this example where you scroll down and see Download Win32/Win64 OpenSSL. Download the latest Light OpenSSL depending on your Windows version i.e. ‘Win32’ or ‘Win64’. If you don't know what Windows you have, download 32-bit OpenSSL.
1.4. Double click to start the installation, and follow the steps. Once done, you’ll have the OpenSSL application installed on the server. Here are some of the setup screens you’ll see:
Note: by default, the OpenSSL base folder will be downloaded to the C Drive on your PC. It will be named after the OpenSSL version you selected.
2.1. Open Cmd (Windows command line). To do this, press win+R on your keyboard. Then type cmd and click OK.
Next, you’ll see the cmd terminal:
2.2. Go to the OpenSSL base folder by running (adding) the following command in the cmd:
cd *OpenSSL base folder*
Note: the path to the location of the installed OpenSSL base folder in your PC will look something like C:\OpenSSL-Win32 or C:\OpenSSL-Win64.
2.3. Now run the following command in the cmd:
set OPENSSL_CONF=*OpenSSL base folder*\bin\openssl.cfg
2.4. Restart your computer to apply the changes.
3.1. Go to the subfolder \bin of your OpenSSL folder by running this command:
3.2. Generate the CSR code and Private key for your certificate by running this command:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server_csr.txt
Note: server.key and server_csr.txt are the Private key and the CSR code files. Feel free to use any file names, as long as you keep the .key and .txt extensions.
Tip: if you want to generate the Private key and CSR code in another location from the get go, skip step 3.1. and replace the openssl part of the command with *OpenSSL base folder*\bin\openssl.exe:
*OpenSSL base folder*\bin\openssl.exe req -new -newkey rsa:2048 -nodes -keyout *Some path*\server.key -out *Some path*\server_csr.txt
3.3. Fill in the required fields:
Note: for ‘Email Address’, ‘challenge password’ and ‘optional company name’, simply press Enter to leave them empty, as these are the legacy fields.
Alternatively, you can run the following command with all parameters already listed. Replace the default information with the actual values in the command before you copy-paste it to the cmd and press Enter:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server_csr.txt -subj "/C=*Country*/ST=*State or Province*/L=*Locality or City*/O=*Company*/OU=*Organizational unit*/CN=*Common Name*"
3.4. This will create a Private key (.key) and a CSR code (.txt) files in the *OpenSSL base folder*\bin. Open the CSR file directly with any text editor, or with Notepad using this command:
3.5. Copy the created code, including -----BEGIN CERTIFICATE SIGNING REQUEST----- and -----END CERTIFICATE SIGNING REQUEST----- to activate your SSL Certificate.
Note: if the CSR was generated this way but the certificate needs to be installed on a Windows server (i.e. IIS), you’ll need to generate the PFX file from the certificate and Private key. To do that, use this command:
openssl pkcs12 -export -out *your certificate*.pfx -inkey server.key -in *your certificate*.p7b