How to Generate a CSR on macOS Servers?

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...
CSR Creation on MacOS X

One of the basic tasks in managing SSL certificates that all system administrators need to know is generating a CSR (Certificate Signing Request) on a macOS server. It is not a hard task; however, precision is required.

Even one error, such as an incorrect domain name, inappropriate location of the key file, or incorrect information, may slow down the issuance of the certificate or lead to problems with its installation in the future.

I have created CSRs of production servers, staging environments, and internal tools, but the fact would always remain the same: when you have a structured approach, the process is going to be smooth and repeatable.

The most sound way on macOS servers is through OpenSSL through the Terminal, as it provides overall control and is compatible with nearly all server configurations.

CSR Creation Steps on macOS Server

The following is a step-by-step process that you can follow.

Step 1: Open Terminal on macOS

  • Begin by launching the Terminal program.
  • You can access it through:
  • Applications Utilities Terminal
  • Or just press Command + Space, write Terminal, and press Enter.

After opening the terminal, you are all set to start. I would always suggest that a working directory be created first before the keys or CSRs are generated. Having certificate files well structured avoids a situation where they get mixed up and lost in the future.

Create and transfer to a new folder:

  • mkdir ssl-certs
  • cd ssl-certs

This makes sure that your CSR and private key remain at a single secure location.

Step 2: ‘Gen-key’ to create the Private Key

The key file is the most crucial file in the whole process, which is the private key. Consider it as the other half of your SSL identity. When one has access to this key, there are chances that one can impersonate your server. Do not lose it, and never tell it.

To create a private key, use the following command:

openssl genrsa -out yourdomain.key 2048

What this command does:

  • Produces a 2048-bit RSA secret key.
  • Saves it as yourdomain.key
  • Establishes the basis of CSR production.

2048-bit keys are a common standard with most Certificate Authorities. But a stronger encryption can be created with a 4096-bit key.

Yourdomain.key is the key that OpenSSL generates in response to this command:

openssl genrsa -out yourdomain.key 4096

This provides greater security but can contribute some slight processing time to encryption processes.

Having run the command, your personal key file will be available in the directory. Store this file somewhere safe and on the cloud. Do NOT email it or post it on other systems.

Step 3: Create the CSR (Certificate Signing Request)

After the preparation of the private key, the CSR can be generated. Your personal key, along with company information, will be stored here. This CSR will be sent to the Certificate Authority to obtain your SSL certificate.

Run the command:

openssl req -new -key yourdomain.key -out yourdomain.csr

req is the command used to create a certificate request with the key that is of your domain.key and the file yourdomain.csr.

Once this is done, the terminal will ask you to input some aspects of information. These are the information to be included in your certificate request and therefore fill in carefully.

You will be asked for:

  • Country Name: Type in the two-letter country code (such as IN and the United States, using US as the country code).
  • State or Province: Type in the name of the entire state or region.
  • Locality or City: Give the name of the city of the organisation you are in.
  • Organization Name: Please provide the legal name of your company. When the purpose of this certificate is personal, then it is possible to fill in your name or project name.
  • Organizational Unit: Optional field. You can select IT, Security, DevOps or not.
  • Name (Most Important Field): This has to be a perfect match to the domain name.

Examples:

  • In case of a single domain: example.com.
  • In the case of the subdomain: www.example.com.
  • In the case of a wildcard certificate: *.example.com.
  • In case the Common Name is wrong, then the certificate would not be functional with your domain.

Email Address and Challenge Password:

These are optional, and they tend to be blank. Press Enter to skip them.

The generation of the CSR file will take place immediately after all the information is placed.

Step 4: Verify the CSR File

Once the CSR has been created, it is always worth a review of its contents, after which it can be sent to the Certificate Authority.

To view the CSR:

cat yourdomain.csr

You will find a portion of coded text which opens with:

—–BEGIN CERTIFICATE REQUEST—–

and ends with:

—–END CERTIFICATE REQUEST—–

This entire block is your CSR. Paste it as it is and make a submission to your certificate issuer.

Details of CSR can also be checked using:

openssl req -text -noout -verify -in yourdomain.csr

This command shows you all the information you typed so you can verify that it is correct before making any submission.

Step 5: Submit CSR to Certificate Authority.

After obtaining this, apply the CSR to your preferred Certificate Authority (CA), such as DigiCert, Sectigo, GlobalSign, or a reseller like us (CheapSSLWeB).

During submission:

  • Cut the CSR text and paste it into the order form of CA.
  • Select the type of certificate (DV, OV, EV, wildcard, etc.)
  • Full domain validation procedure.
  • Upon validation, the CA will provide your SSL certificate, which you can install using the same private key you created previously.
  • Critical Security Best Practices.

In all instances that CSRs are generated on macOS servers, it is advisable to adhere to the following precautions:

  • Do not divulge your secret key file.
  • Store the private key in a safe place.
  • Keep a duplicate in a safe vault.
  • Use powerful file permissions when on the production server.
  • In case of compromise of the private key, regenerate the CSR.
  • You cannot use the issued certificate if you lose your personal key. To create a new key and CSR and reissue the certificate, you will be required to do so.

Next Step: How to Install an SSL Certificate on macOS?

End Words

Generating a CSR on macOS is a straightforward process when done with precision and structure. From creating a secure private key to verifying your CSR details before submission, each step plays a critical role in ensuring your SSL certificate works flawlessly.

A small mistake in the Common Name or key handling can lead to delays or security risks, so always follow best practices and keep your private key protected.

If you’re ready to secure your website or server, contact us to purchase your SSL certificate. Our experts will guide you through CSR generation, validation, and installation to ensure a smooth and secure deployment.

Secure your Site Now

Enable HTTPs on your Website by Purchasing SSL, Generate CSR and Install on your Web Server.

Starts at Just $3.99/Yr
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.