SSL Certificate Signing Request Tool

Requesting a certificate made simple

Certificate Signing Request Details


This will show the command line dynamically whenever you type the text on the above entry box.

This will show the command line dynamically whenever you type the text on the above entry box.

This will show the command line dynamically whenever you type the text on the above entry box.

This will show the command line dynamically whenever you type the text on the above entry box.

This will show the command line dynamically whenever you type the text on the above entry box.

This will show the command line dynamically whenever you type the text on the above entry box.


What is a Certificate Request? +

For a Certificate Authority to issue you a certificate you must provide them with the information that you believe belongs in that certificate request. The most important piece of information being the public key that your server will use to identify itself. The Certificate Request (sometimes called a CSR or PKCS10) is how you provide that public key and prove you have the corresponding private key. To help identify which server a certificate request is for it can also include additional information such as the fully qualified host name of the server or the name of the legal entity who possesses the associated private key.

How do I generate a Certificate Request? +

Each application stores its certificates and private keys in different ways, meaning that you often need to use a different tool to generate the certificate request for each application. Although it is not normally required, the easiest way to do this is to generate the certificate request on the server you will use the certificate on. This page helps you to generate the appropriate command line for each of your applications. Simply fill out the required fields above and it will provide you with example command lines for common applications. If your application is not listed, check the help documentation from your Certificate Authority or the application documentation for guidance on how to generate the certificate signing request.

How do I know the key length I should use? +

The larger the private key the stronger it is, unfortunately the larger it is the slower the cryptographic operations with that key will be. Though techniques for cryptanalysis are often improving at this time, the general consensus is that RSA keys with a key length of 2048 are sufficiently strong.

How do I keep my private key secure? +

There are a few things you need to keep in mind when thinking about the security of your private key:

  1. Are you using the latest version of the certificate request tool? There have been vulnerabilities in the way private keys are generated. Making sure you are using the most recent version helps ensure you are not using a known vulnerable key generation process.
  2. Does the environment you are generating the certificate request in have a good source of random numbers? The security of the key generation process is very dependent on the quality of the random numbers available to the application generating the key. For example, if the certificate request is being generated in a embedded system it may produce predictable random numbers. If you are not confident about the quality of the random numbers your device uses, generate your certificate request on a different machine.
  3. Who has access to the private key? Anyone who gets a copy of your private key will be able to impersonate your server. You want to ensure you password protect and/or use ACLs to reduce who can have access to the private key.