There was a problem loading the comments.

How to Generate a CSR and Private Key

Support Portal  »  Knowledgebase  »  Viewing Article

  Print

Quick answer: To buy an SSL certificate, generate a CSR and private key - in cPanel (SSL/TLS, Generate a CSR), Plesk, or with openssl req -new -newkey rsa:2048 -nodes. Use your exact domain as the Common Name, keep the private key safe, and never regenerate a new CSR after ordering.

To buy a commercial SSL certificate, a certificate authority needs a Certificate Signing Request (CSR) - a block of text that contains your domain details and a public key. Generating the CSR also creates a private key that stays on your server. Here is how to produce both correctly.

What gets created

CSR         - sent to the certificate authority when ordering
Private key - stays on your server, never shared

The private key must be kept secret and paired with the certificate you receive. Losing it means the certificate cannot be installed.

Generate a CSR in a control panel

In cPanel, open SSL/TLS > Generate a CSR. In Plesk, use Websites & Domains > SSL/TLS Certificates > Add. Fill in the fields exactly:

Common Name (CN):  the exact domain, e.g. www.yourdomain.com
Organization:      your legal business name
City / State:      your location
Country:           two-letter country code

The panel stores the private key and gives you the CSR text to copy.

Generate a CSR with OpenSSL

On a server without a panel, use OpenSSL:

openssl req -new -newkey rsa:2048 -nodes \
  -keyout yourdomain.key -out yourdomain.csr

Answer the prompts, using your exact domain as the Common Name. This writes the private key (yourdomain.key) and the CSR (yourdomain.csr). Back up the key file safely.

Submit and receive the certificate

Paste the CSR into your certificate order. The authority validates your control of the domain and returns the certificate, usually with an intermediate (chain) certificate. Install both together with the matching private key on the same server that generated the CSR.

Common mistakes

Use the exact domain in the Common Name - a certificate for yourdomain.com does not cover www.yourdomain.com unless both are included. And never generate a new CSR after ordering, as its new private key will not match the issued certificate.

Frequently asked questions

Why keep the private key?
The issued certificate only works with the matching private key from the same CSR; losing it means reissuing.

Does one certificate cover www automatically?
No - include both yourdomain.com and www.yourdomain.com when generating the CSR.

On a SoftSys managed VPS our team generates the CSR, installs the issued certificate and full chain, and handles renewals, so commercial SSL is set up correctly the first time.


Share via
Did you find this article useful?  

Related Articles

Tags

© Softsys Hosting