Back to home

Create a certificate signing request (CSR)

What is a CSR needed for?

In order to have an SSL certificate issued, the first step is to create a so-called CSR. CSR stands for “Certificate Signing Request” and represents a digital request for the issuance of an SSL certificate.

Order SSL certificate via Nine

If you order an SSL certificate directly through Nine for one of our managed products, the creation of a CSR is not required.

Creating a CSR is only required if you wish to obtain an SSL certificate for root products or through a third party.

Where should the CSR be created?

The CSR (and private key) can be generated on your web server. This also ensures that the private key does not leave the secure environment of the server.


To create the CSR, we use OpenSSL in this description. If the program is not available on your root environment, it must be installed first. On managed environments, the program is part of the basic configuration.

*The following description uses default directories of our managed environments. Please adapt them for root environments according to your needs.

After logging in to the server (via SSH) we change the working directory using cd /home/www-data/.ssl/.

This path cannot be reached directly via a web server and prevents the “private key” from accidentally becoming public.

If the directory does not exist yet, it must be created beforehand using mkdir /home/www-data/.ssl/.

Creation of the CSR

OpenSSL can be used interactively and asks for all necessary parameters. The following command is used to create both the CSR and the associated “private key” for the domain

openssl req -sha256 -newkey rsa:4096 -nodes -keyout -out

The following output will now appear on your screen:

Generating a RSA private key
writing new private key to ''.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

You will now be asked questions about the details of the content of your CSR.

The use of umlauts, special characters (e.g. accents in French) and abbreviations should be avoided at all costs.

Country Name

Enter the 2-digit country code according to ISO 3166 (CH = Switzerland).

Country Name (2 letter code) [AU]:CH

State or Province Name

The canton/province where the person or company for which the CSR is created is registered must be entered here.

State or Province Name (full name) [Some-State]:Zuerich

Locality Name

Enter the city / town here.

Locality Name (eg, city) []:Zuerich

Organization Name

Enter your company or association name here. If the certificate is to be issued to a natural person, enter the full name of the person.

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Schweizer AG

Organizational Unit Name

Enter your department (if relevant) here. The field can be left blank and the request confirmed with Enter.

Organizational Unit Name (eg, section) []:

Common Name

Specify the domain name to be protected by the certificate (or * for wildcard certificates).

Standard certificates usually automatically include the subdomain “www”. However, this does not apply to multi-domain certificates. If you want to obtain your certificate via a third-party provider, please clarify the exact conditions with the provider in advance.

Wildcard certificates cover a sudomain level.
For example, * includes and, but not would be covered with a wildard certificate for *

The SSL certificate can later only be used for the domain deposited here.

Common Name (e.g. server FQDN or YOUR name) []:

Email Address

Enter the email address of a responsible person here.

Email Address []

Password / An optional company name

This information is optional and should be left blank, otherwise your web server may not start automatically.

For use on our managed products it is mandatory that the “Private Key” is not password protected.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The creation of the CSR and the corresponding private key is now complete. The two files and have been created.

You can now send the CSR to us, we will then initiate the issuance of your desired certificate.

The “Private Key” should be kept in a safe place. This is needed for the later setup of the certificate, e.g. in a web server.

Didn't find what you were looking for?

Contact our support:

+41 44 637 40 40 Support Portal