Build an OpenSSL command to generate your CSR — on your own server
Fill in your certificate details and get a single OpenSSL command back. Run it on the server
(or workstation) that will hold the certificate, and it creates a new private key and CSR
together, right there — nothing is generated on this page.
This page only builds command text — no key or CSR is ever generated in your browser
Do not use a web-based CSR generator
Creating a CSR always means creating a private key first, and that key must never leave the
machine that generated it. A website that offers to "generate your CSR" for you has to generate
that private key somewhere — on its own servers, or in a browser tab you can't fully audit —
which means a key that should be yours alone may be retained, logged, or cached by a site you
don't control.
This tool only produces the command below as text. Copy it and run it yourself with OpenSSL, so
the private key is generated, and stays, on your own infrastructure.
Certificate details
Only the Common Name is required — everything else is optional but recommended by most CAs.
Comma-separated hostnames and/or IP addresses. Most CAs now require the CN to also appear here.
ECDSA options require OpenSSL 1.1.1 or newer — run openssl version to check.
Ready to build
Enter at least a Common Name and press Generate.
Run this on your server
On Windows Git Bash, the -subj value can get silently rewritten into a file
path — the MSYS_NO_PATHCONV=1 prefix above prevents that. It's safe to leave in
on Linux, macOS, and PowerShell.
What this command does
Every flag in the generated command, in plain English:
MSYS_NO_PATHCONV=1 — only matters on Windows Git Bash. It stops Git Bash from "helpfully" rewriting -subj "/C=.../CN=..." into a Windows file path, which otherwise breaks the command. It's a harmless no-op on Linux, macOS, and PowerShell.
openssl req -new — start building a new certificate request.
-newkey rsa:2048 (or an ECDSA equivalent) — generate a brand-new private key at the same time.
-nodes — store the key without a passphrase, so a server process can read it without asking. Omit this (checkbox above) if you'll enter a passphrase by hand.
-keyout server.key — the file your new private key is written to. Keep this file private and restrict who can read it.
-out server.csr — the file your CSR is written to. This is the file you send to your Certificate Authority.
-subj "/C=.../CN=..." — fills in your identity fields without an interactive prompt.
-addext "subjectAltName=..." — lists every additional hostname or IP this certificate should cover. Requires OpenSSL 1.1.1 or newer.
Installing OpenSSL
Most Linux and macOS systems already have OpenSSL installed. Check first with openssl version.
macOS ships with LibreSSL by default; Homebrew's OpenSSL 3 is closer to what most servers run and supports every flag on this page.
Windows
winget install ShiningLight.OpenSSL
Alternatively, install Git for Windows, which bundles OpenSSL and adds it to "Git Bash".
Why generate it yourself
The private key is the whole point
A certificate is only as trustworthy as the private key behind it. Generating the key and CSR
together, locally, with OpenSSL, means the key is created exactly once, in exactly one place —
the server that will use it — with no copy ever transiting a third-party website.
Next step
Check your work before submitting
Once OpenSSL creates your .csr file, paste its contents into the
CSR Decoder to confirm the subject and SANs are exactly right
before you send it to your CA.
After the CA responds
Confirm the certificate matches
When your CA returns a signed certificate, run it through the
Certificate & CSR Validator alongside this CSR to
confirm they share the same key pair.