Skip to main content

Create a Certificate Signing Request (CSR)

A CSR (Certificate Signing Request) is a digital request for issuing a TLS certificate. TLS certificates ordered through Nine are not limited to managed services. They can also be used with root servers and third-party infrastructure.

Not required for single-domain and wildcard certificates

If you order a single-domain or wildcard certificate through Nine, you don't need to create a CSR. Nine handles this automatically.

Creating a CSR is required for:

  • EV and multi-domain certificates
  • Certificates from third-party providers

Where to Create the CSR

Generate the CSR and private key on your Managed Server. This ensures the private key never leaves the secure server environment.

Preparation

This guide uses OpenSSL. On managed environments, OpenSSL is pre-installed. For root environments, install it first if needed.

The following steps use default directories for Nine managed environments. Adjust paths for root environments as needed.

  1. Create a directory that is not publicly accessible via a web server. Private keys must remain secret:

    mkdir -p ~/.ssl/
    cd ~/.ssl/

  2. Create an OpenSSL config:

    ~/.ssl/openssl.conf
    [req]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req

    [req_distinguished_name]

    [ v3_req ]
    subjectAltName = ${ENV::SAN}
    # keyUsage = keyEncipherment, dataEncipherment
    # extendedKeyUsage = serverAuth

Create the CSR

Run the following command to create both the CSR and private key for your domain. This uses an ECDSA key with the P-256 curve, the current industry standard for fast and secure TLS handshakes:

SAN=DNS:example.com,DNS:www.example.com openssl req -new -subj "/C=CH/ST=Zuerich/L=Zuerich/O=Example AG/CN=example.com/" -sha256 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout SSL_example.com.key -out SSL_example.com.csr -config openssl.conf

Avoid umlauts, special characters (such as French accents), and any abbreviations in the certificate fields.

Country Name

2-digit country code per ISO 3166 (CH = Switzerland).

State or Province Name

The canton or province where the person or company is registered.

Organization Name

Your company or association name. For certificates issued to individuals, enter the full name.

Common Name

The domain name to protect with the certificate, or *.example.com for wildcard certificates.

Wildcard certificates cover one subdomain level. For example, *.example.com covers www.example.com and staging.example.com, but not www.staging.example.com. To cover www.staging.example.com, use *.staging.example.com.

The TLS certificate is only valid for the domain specified here.