If you want to install an SSL/TLS certificate, you might need to create a Certificate Signing Request (CSR). This ensures you obtain your SSL/TLS certificate safely.
In this article, you learn how to create a private key locally on your computer, so your certificate reseller doesn't have to send you the private key over the internet.
💡 With a CSR, you can obtain an SSL/TLS certificate to secure your custom domain manually. Read all about it in our article Manually configure SSL/TLS for a custom domain.
In this article
What is a CSR?
A Certificate Signing Request (CSR) is a file that contains information about your company and your (sub)domain, which is required by most certificate resellers (Certificate Authority or CA) to create a certificate for you.
A CSR is actually a request to get a certificate that is created and digitally signed by a CA, without having to send the private key over the internet.
What is a private key?
The private key decrypts the data that the CSR file has encrypted. You will use the private key when uploading your certificate and intermediates to your project in Foleon. As the name suggests, the private key is meant to keep private on your computer.
⚠️ Sending the private key over the internet can be dangerous for the security of your certificate.
How to create a CSR and Private Key
⚠️ The information provided in the terminal when creating the CSR needs to match the information you provide to the certificate reseller. It also needs to match with the domain you provide in your project in Foleon.
In the image below, you can see what this process looks like in the terminal.
Follow the steps below to create a CSR and private key file. After each step, press enter to go to the next line in the terminal.
Step 1 — Open the terminal on your computer and place the following code in there:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Step 2 — Provide the needed information about your company and subdomain.
For example, we have included the CSR information for our Foleon HQ. Replace this with your own company information:
Country Name (2 letter code) - NL
State or Province Name (full name) - Noord-Holland
Locality Name (eg, city) - Amsterdam
Organization Name (eg, company) - Foleon
Organizational Unit Name (eg, section / department) - Support
Common Name (eg, fully qualified hostname) - my.ebook.com
It's important to type the hostname in lower case characters (in the example my.ebook.com). It can otherwise not be read correctly by the services that work with this information.
⚠️ We currently can't accept wildcard domains in the Subject Alternative Name (SAN). So *.domain.com can be used as a certificate's common name, but can't be only included as a SAN without being included as the common name.
Step 3 — The server can not read the "Email" and "Password" information. You can leave these empty by For email and password; The server cannot read this information, so you can leave these empty, and hit enter twice.
Step 4 — If you see the name of your user account in the terminal, the task is done. Two new files (*.key and *.csr) will be located in your personal folder on your computer.
Step 5 — Rename these files to your subdomain with '_' as a dot, for example: 'my_ebook_com.key'.
What to do with the CSR file
You can send the CSR file, for example: 'my_ebook_com.csr', to your certificate reseller. You can keep the private key safely on your computer.
⚠️ Do not send the private key with your CSR file to your certificate reseller. This can be dangerous for the security of your certificate.
After that, you'll get the SSL/TLS certificate and intermediates from your reseller. You can upload these together with the private key to the project that has been set up with this subdomain. Read all about it in our article Manually configure SSL/TLS for a custom domain.