1. Home
  2. Knowledge Base
  3. SSL Certificate Guides
  4. Generate CSR
  5. Apache & NGINX
  6. How to Generate a CSR for an Apache or NGINX Web Server with OpenSSL (ECC)

How to Generate a CSR for an Apache or NGINX Web Server with OpenSSL (ECC)


To generate a Certificate Signing Request (CSR) for an Apache or Nginx Webserver, perform the following steps. When you have completed this process, you will have a CSR ready to submit to Trustzone in order to be generated into a SSL Security Certificate

Generating the key pair

The utility “OpenSSL” is used to generate both Private Key (key) and Certificate Signing Request (CSR). OpenSSL is usually installed under (/usr/local/ssl). If you have a custom install, you will need to adjust these instructions appropriately.

Note: Change mydomain.com to the website you wish to create the CSR for

Browse to a folder where you like to generate your keypair. It is recommended to generate the key pair in a directory with locked down permissions. (We recommend setting the permission to 600 on the private key).

Note: If you are using OpenSSL on Windows, please navigate to your OpenSSL “bin” directory and open a command prompt.

Type the following command at the prompt in OpenSSL (type openssl in unix systems):
ecparam –out www.mydomain.com.key -name prime256v1 -genkey

Note: If you wish to use a passphrase with your private key you can include “-des3” in the command. You will then be prompted for a passphrase. Please keep the passphrase in a safe location as it cannot be recovered. If the passphrase is lost, you must generate a new key pair.

A NIST P-256 ECC private key will be generated and stored in the file “www.mydomain.com.key”

Generating the CSR

Type the following command at the prompt in OpenSSL:
req –new –key www.mydomain.com.key –out www.mydomain.com.csr

NoteYou will be prompted for the PEM Pass Phrase if you included the “-des3” command. Type it in now.

Note: There is a known issue with Apache/OpenSSL Windows-based installations. If you receive an error with the above command, please enter the following:
req -new -key www.mydomain.com.key -out www.mydomain.com.csr -config openssl.cnf

Input the information for the Certificate Signing Request. This information will be displayed in the certificate:

Common Name: Must match the URL you plan to secure exactly – is usually your fully-qualified domain name (e.g. trustzone.dk or mail.trustzone.dk). Remember the www. Is important – include it if you want to secure https://www.mydomain.com & exclude it if you want to secure https://mydomain.com

Organization: The legal (officially registered) name of your organization/company include Inc., LLP., Pvt, Plc. Ltd. SARL., etc

Organizational unit: The name of your department within the organization (this is often “IT,” “Web,” or is just left blank)

City/locality: The city or town in which your organization is located

State/Province: The state in which your organization is located

Country: Click here for the official list of ISO country codes for this field

Note: Do NOT enter the following: “Email Address”; “A challenge password” or ”An optional company name”:

How to Generate a CSR for an Apache or NGINX Web Server with OpenSSL (ECC)

Please verify the CSR, to ensure all information is correct. Use the following command:
req -noout -text -in www.mydomain.com.csr

The CSR will now be created and can be submitted via the website-

You are now ready to submit your CSR for the certificate you wish to install.


Was this article helpful?