PKI Toolkit
CSR Generator

Build an OpenSSL command to generate your CSR — on your own server

Fill in your certificate details and get a single OpenSSL command back. Run it on the server (or workstation) that will hold the certificate, and it creates a new private key and CSR together, right there — nothing is generated on this page.

This page only builds command text — no key or CSR is ever generated in your browser

Do not use a web-based CSR generator

Creating a CSR always means creating a private key first, and that key must never leave the machine that generated it. A website that offers to "generate your CSR" for you has to generate that private key somewhere — on its own servers, or in a browser tab you can't fully audit — which means a key that should be yours alone may be retained, logged, or cached by a site you don't control.

This tool only produces the command below as text. Copy it and run it yourself with OpenSSL, so the private key is generated, and stays, on your own infrastructure.

Certificate details

Only the Common Name is required — everything else is optional but recommended by most CAs.

Comma-separated hostnames and/or IP addresses. Most CAs now require the CN to also appear here.
ECDSA options require OpenSSL 1.1.1 or newer — run openssl version to check.
Ready to build
Enter at least a Common Name and press Generate.

What this command does

Every flag in the generated command, in plain English:

  • MSYS_NO_PATHCONV=1 — only matters on Windows Git Bash. It stops Git Bash from "helpfully" rewriting -subj "/C=.../CN=..." into a Windows file path, which otherwise breaks the command. It's a harmless no-op on Linux, macOS, and PowerShell.
  • openssl req -new — start building a new certificate request.
  • -newkey rsa:2048 (or an ECDSA equivalent) — generate a brand-new private key at the same time.
  • -nodes — store the key without a passphrase, so a server process can read it without asking. Omit this (checkbox above) if you'll enter a passphrase by hand.
  • -keyout server.key — the file your new private key is written to. Keep this file private and restrict who can read it.
  • -out server.csr — the file your CSR is written to. This is the file you send to your Certificate Authority.
  • -subj "/C=.../CN=..." — fills in your identity fields without an interactive prompt.
  • -addext "subjectAltName=..." — lists every additional hostname or IP this certificate should cover. Requires OpenSSL 1.1.1 or newer.

Installing OpenSSL

Most Linux and macOS systems already have OpenSSL installed. Check first with openssl version.

Linux (Debian / Ubuntu)

sudo apt update
sudo apt install -y openssl

Fedora / RHEL / CentOS: sudo dnf install -y openssl

macOS

brew install openssl@3

macOS ships with LibreSSL by default; Homebrew's OpenSSL 3 is closer to what most servers run and supports every flag on this page.

Windows

winget install ShiningLight.OpenSSL

Alternatively, install Git for Windows, which bundles OpenSSL and adds it to "Git Bash".

Why generate it yourself

The private key is the whole point

A certificate is only as trustworthy as the private key behind it. Generating the key and CSR together, locally, with OpenSSL, means the key is created exactly once, in exactly one place — the server that will use it — with no copy ever transiting a third-party website.

Next step

Check your work before submitting

Once OpenSSL creates your .csr file, paste its contents into the CSR Decoder to confirm the subject and SANs are exactly right before you send it to your CA.

After the CA responds

Confirm the certificate matches

When your CA returns a signed certificate, run it through the Certificate & CSR Validator alongside this CSR to confirm they share the same key pair.