How to Generate a CSR for SSL Certificates on Linux

Method 1 - Automated

These instructions will generate a certificate automatically on a TXST-hosted server without having to use the request form.

NOTE: All domain names specified must be valid DNS records that resolve to the server you’re running certbot on. 

EXAMPLE: Webfiles.txstate.edu can request a certificate for webfiles.txst.edu, but not www.txst.edu.

  1. Run one of the following commands to generate your certificate.
    Type Command Example
    Single Domain certbot certonly --domains <your_fqdn> certbot certonly --domains example1.tr.txstate.edu
    Multiple Domain certbot certonly --domains <your_fqdn>, <your_fqdn2> certbot certonly --domains example1.tr.txstate.edu, example.txstate.edu

  2. Certificates are generated in the /etc/certificates/live directory with a specific directory per certificate. 

    ssl example

    Example Apache Confirguration:
    SSLCertificateFile /etc/certificates/live/example1.tr.txstate.edu/cert.pem
    SSLCertificateKeyFile /etc/certificates/live/example1.tr.txstate.edu/privkey.pem
    SSLCertificateChainFile /etc/certificates/live/example1.tr.txstate.edu/chain.pem

Method 2 - Manual

If you are unable to use an automated certificate, these instructions will generate a certificate signing request that you may submit via the request form to get approved.

  1. Open the command line as an administrator. Enter this into the box:
    openssl req -new -newkey rsa:4096 -nodes -subj '/C=US/ST=Texas/L=San Marcos/O=Texas State University/emailAddress=systemsteam@txstate.edu/CN=<your_server_fqdn>' -keyout /etc/pki/tls/private/server.key -out /etc/pki/tls/private/server.csr && chmod 0600 /etc/pki/tls/private/server.key 

    NOTE: For <your_server_fqdn> please use the fully qualified server hostname. If you need to add multiple SANs (Subject Alternative Names), you may list them later during the ITAC SSL request process.
     
  2. Press Enter. A file named server.csr will be created.

    NOTE: The server.csr file contains your certificate request. To copy and paste the information, type cat /etc/pki/tls/private/server.csr and press Enter.