Make sure OpenSSL is installed and on PATH. If
openssl is not recognized, see Add to PATH. You will also need an RSA or ECDSA private key — see Generate RSA key.
Method 1 — recommended
One-step: generate key + CSR together
This creates a new 2048-bit RSA key and a CSR in a single command — the fastest approach for most use cases:
C:\certs> openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr
Generating a RSA private key
..........+++
You are about to be asked to enter information...
Country Name (2 letter code) [AU]: US
State or Province Name [Some-State]: California
Locality Name []: San Francisco
Organization Name []: Example Corp
Organizational Unit Name []: IT
Common Name []: example.com
Email Address []: admin@example.com
This produces two files: private.key (keep this secret) and request.csr (submit to your CA).
Method 2
Two-step: existing key + new CSR
If you already have a private key, generate only the CSR from it:
# You already have private.key from a previous step:
C:\certs> openssl req -new -key private.key -out request.csr
You are about to be asked to enter information...
Common Name []: example.com
Non-interactive
Generate CSR without prompts (scripts / CI)
Use the -subj flag to pass all subject fields on the command line. Useful for automation:
C:\certs> openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr ^
-subj "/C=US/ST=California/L=San Francisco/O=Example Corp/CN=example.com"
In PowerShell, replace ^ with a backtick ` for line continuation.
Subject Alternative Names
CSR with SAN extensions
Modern browsers require Subject Alternative Names (SAN). Generate a CSR with SANs using a config file:
First create san.cnf in your working directory:
[req]
default_bits = 2048
prompt = no
distinguished_name = dn
req_extensions = req_ext
[dn]
C=US
ST=California
O=Example Corp
CN=example.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = api.example.com
Then generate the CSR:
C:\certs> openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr -config san.cnf
Verify
Inspect the CSR before submitting
Always verify the CSR contents before sending it to a CA:
C:\certs> openssl req -in request.csr -noout -text
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C=US, ST=California, O=Example Corp, CN=example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Confirm that the CN (Common Name), Organization and SAN values are exactly correct before submitting. A wrong CSR means a wrong certificate.
FAQ
CSR questions
What is the Common Name field?
The Common Name (CN) should be the primary domain name the certificate will protect, e.g.
example.com. For wildcard certificates, use *.example.com. Modern certificates rely on SAN extensions for domain validation, but the CN is still required.Do I need to keep the private key secret?
Yes. The private key (
private.key) must never be shared. Only the CSR (request.csr) is sent to the CA. Anyone with your private key can impersonate your server.What file do I send to the CA?
Send only the
request.csr file to your CA. The CSR contains your public key and subject information — no private key material. The CA will return a signed certificate.Can I reuse an existing private key for a new CSR?
Yes. Use method 2:
openssl req -new -key existing.key -out new.csr. Many organizations reuse keys when renewing certificates, though generating a new key with each renewal is better security practice.Ready to create a self-signed certificate?
Use your key and CSR to generate a self-signed cert for dev/testing.
Related guides