openssl req: Generate a CSR for Signing
openssl req -new builds a CSR you can hand to a CA to be signed into a certificate.
A CSR bundles a public key with subject details and is signed by your private key. In CI you want it fully non-interactive via -subj.
What it does
openssl req -new generates a PKCS#10 certificate signing request from an existing private key (or a new one with -newkey). It encodes the subject DN, the public key, and any requested extensions.
Common usage
openssl req -new -key key.pem -out req.csr \
-subj "/C=US/ST=CA/O=Acme/CN=example.com"
# add a SAN extension non-interactively
openssl req -new -key key.pem -out req.csr \
-subj "/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:www.example.com"Options
| Flag | What it does |
|---|---|
| -new | Generate a new CSR |
| -key <file> | Use an existing private key |
| -newkey rsa:2048 | Generate a fresh key alongside the CSR |
| -subj <dn> | Set the subject DN non-interactively (skips prompts) |
| -addext <ext> | Add an X.509v3 extension such as subjectAltName |
| -nodes | Do not encrypt the generated private key |
In CI
Always pass -subj in pipelines; without it req drops into interactive prompts and hangs the job. -addext (OpenSSL 1.1.1+) avoids needing a custom openssl.cnf just to add a SAN.
Common errors in CI
"problems making Certificate Request" with "string is too long" means a DN field exceeds its length limit. "unable to load Private Key" means -key points at the wrong file or an encrypted key without a passphrase. If -addext is unknown, the OpenSSL build predates 1.1.1; fall back to a config file with req_extensions.