The current CSR generation guide will help you to generate a Certificate Signing Request (CSR) without a mandatory common name (CN) using Nginx (OpenSSL). The CSR without CN is a must rule to generate GoGetSSL™ Public IP SAN. That is a very custom product allowing to protect public IP addresses with the domain validation process. Most devices force the install SSL with Primary domain as Public IP address, without any FQDN (Fully Qualified Domain name).
Step 1: Login to your server
Log into your server using an SSH connection to open a terminal window. No SSH connection needed if you work locally, just press CTRL+ALT+T or CTRL+ALT+F1 to open a terminal window on most Linux systems.
Step 2: CSR and Private key creation
Please run the command below to start the generation. Replace "new" with your actual public IP without any DOTS or simply use any custom name you want.
openssl req -new -newkey rsa:2048 -nodes -keyout new.key -out new.csr
We suggest generating new Private Key for every new CSR code. The description of commands:
- openssl – activates the OpenSSL softwarereq – indicator, that we need CSR code;
- –new –newkey – generate a new key;
- rsa:2048 – generate a 2048-bit RSA mathematical key;
- –nodes – no DES, meaning do not encrypt the private key in a PKCS#12 file;
- –keyout – indicates the domain you’re generating a key for;
- –out – specifies the name of the file your CSR will be saved as;
Note: we suggest to use classical 2048-bit key pairs. More secure 4096-bit key requers more server resources. Alternatively, use the ECC algorithm.
Step 3: Submit CSR details
Follow the process and submit all details.
- Common Name: "KEEP EMPTY"
- Organization: None, or any other name;
- Organization Unit (OU): IT, Security or any other;
- City or Locality: Submit your city;
- State or Province: Submit your State, Region, Province;
- Country: ISO-2 country code, like US, LV, RU, CN, make sure it is allowed country;
Note: Do not submit any key phrase, it will prevent the SSL generation process.
Step 4: Locate CSR file
You will be able to find the CSR file in working directory once the software finished the process of generation. An alternative command to list out all CSRs on your system.
ls *.csr
Step 5: Opening CSR in the console (optional)
You can open the generated .csr file in the editor using the command below.
sudo nano new.csr
Example code
You can open the generated .csr file in the editor using the command below.
openssl req -out new.csr -new -newkey rsa:2048 -nodes -keyout new.key Generating a 2048 bit RSA private key writing new private key to 'new.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:LV State or Province Name (full name) []:Rigas Locality Name (eg, city) []:Rigas Organization (eg, company) []:None Organizational Unit Name (eg, section) []:IT Common Name (eg, fully qualified host name) []: Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: