What is a CSR needed for?
In order to have an SSL certificate issued, the first step is to create a so-called CSR. CSR stands for “Certificate Signing Request” and represents a digital request for the issuance of an SSL certificate.
Order SSL certificate via Nine
If you order an SSL certificate directly through Nine for one of our managed products, the creation of a CSR is not required.
Creating a CSR is only required if you wish to obtain an SSL certificate for root products or through a third party.
Where should the CSR be created?
The CSR (and private key) can be generated on your web server. This also ensures that the private key does not leave the secure environment of the server.
To create the CSR, we use OpenSSL in this description. If the program is not available on your root environment, it must be installed first. On managed environments, the program is part of the basic configuration.
*The following description uses default directories of our managed environments. Please adapt them for root environments according to your needs.
After logging in to the server (via SSH) we change the working directory using
This path cannot be reached directly via a web server and prevents the “private key” from accidentally becoming public.
If the directory does not exist yet, it must be created beforehand using
Creation of the CSR
OpenSSL can be used interactively and asks for all necessary parameters. The following command is used to create both the CSR and the associated “private key” for the domain
openssl req -sha256 -newkey rsa:4096 -nodes -keyout SSL_example.ch.key -out SSL_example.ch.csr
The following output will now appear on your screen:
Generating a RSA private key .............................................................+++++ .................................................+++++ writing new private key to 'SSL_example.ch.key'. ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
You will now be asked questions about the details of the content of your CSR.
The use of umlauts, special characters (e.g. accents in French) and abbreviations should be avoided at all costs.
Enter the 2-digit country code according to ISO 3166 (CH = Switzerland).
Country Name (2 letter code) [AU]:CH
State or Province Name
The canton/province where the person or company for which the CSR is created is registered must be entered here.
State or Province Name (full name) [Some-State]:Zuerich
Enter the city / town here.
Locality Name (eg, city) :Zuerich
Enter your company or association name here. If the certificate is to be issued to a natural person, enter the full name of the person.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Schweizer AG
Organizational Unit Name
Enter your department (if relevant) here. The field can be left blank and the request confirmed with Enter.
Organizational Unit Name (eg, section) :
Specify the domain name to be protected by the certificate (or *.example.ch for wildcard certificates).
Standard certificates usually automatically include the subdomain “www”. However, this does not apply to multi-domain certificates. If you want to obtain your certificate via a third-party provider, please clarify the exact conditions with the provider in advance.
Wildcard certificates cover a sudomain level.
staging.example.ch, but not
www.staging.example.ch would be covered with a wildard certificate for
The SSL certificate can later only be used for the domain deposited here.
Common Name (e.g. server FQDN or YOUR name) : example.ch
Enter the email address of a responsible person here.
Email Address :email@example.com
Password / An optional company name
This information is optional and should be left blank, otherwise your web server may not start automatically.
For use on our managed products it is mandatory that the “Private Key” is not password protected.
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
The creation of the CSR and the corresponding private key is now complete. The two files
SSL_example.ch.key have been created.
You can now send the CSR to us, we will then initiate the issuance of your desired certificate.
The “Private Key” should be kept in a safe place. This is needed for the later setup of the certificate, e.g. in a web server.