Skip to content
Latchkey

openssl req: Generate a CSR for Signing

openssl req -new builds a CSR you can hand to a CA to be signed into a certificate.

A CSR bundles a public key with subject details and is signed by your private key. In CI you want it fully non-interactive via -subj.

What it does

openssl req -new generates a PKCS#10 certificate signing request from an existing private key (or a new one with -newkey). It encodes the subject DN, the public key, and any requested extensions.

Common usage

Terminal
openssl req -new -key key.pem -out req.csr \
  -subj "/C=US/ST=CA/O=Acme/CN=example.com"
# add a SAN extension non-interactively
openssl req -new -key key.pem -out req.csr \
  -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

Options

FlagWhat it does
-newGenerate a new CSR
-key <file>Use an existing private key
-newkey rsa:2048Generate a fresh key alongside the CSR
-subj <dn>Set the subject DN non-interactively (skips prompts)
-addext <ext>Add an X.509v3 extension such as subjectAltName
-nodesDo not encrypt the generated private key

In CI

Always pass -subj in pipelines; without it req drops into interactive prompts and hangs the job. -addext (OpenSSL 1.1.1+) avoids needing a custom openssl.cnf just to add a SAN.

Common errors in CI

"problems making Certificate Request" with "string is too long" means a DN field exceeds its length limit. "unable to load Private Key" means -key points at the wrong file or an encrypted key without a passphrase. If -addext is unknown, the OpenSSL build predates 1.1.1; fall back to a config file with req_extensions.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →