When generating a CSR, you're usually generating a keypair. You can create the private key and the CSR all at once like this:
openssl req -newkey rsa:4096 -keyout server.key -out server.csr
req is openssl's CSR module.
-newkey rsa:2048 tells openssl we want to create a new keypair for this CSR, and we we want that to be a 2048-bit RSA key. Along with telling req we want a new key, we tell it to put the key in a file named server.key with
-keyout server.key. Finally, tell it we want our CSR in a file named server.csr with
Alternatively, if this is for a webserver, and you don't want it to have a passphrase, you can add the
-nodes option to tell it to not encrypt the private key. If you do this be extra-careful to protect the key with proper file permissions.
However, you may already have a private key and just want to generate a CSR. You can do this with:
openssl req -key server.key -out server.csr
where server.key is where your existing private key resides.
This will then ask you several questions. Here is some guidelines on answering those questions:
California. In some countries there are no states or provinces, and if so, leave this blank.
You may also be prompted for
extra attributes such as
challenge password or
company name, and these can generally be ignored/left blank.
At this point, you should have generated a CSR (and possibly a private key). You can now send this CSR to the CA of your choice to be signed.
If you would like to have some of these filled in with your information by default, find the
[ req_distinguished_name ] section of your openssl.cnf ( you can modify the system-wide one, or if you prefer, make your own copy and reference it with
-config openssl.cnf) and change the
_default lines. You can also add
_default lines for attributes that don't exist. For example, in my openssl.cnf, I have a
localityName line but not a
localityName_default - but if I add one, it'll work. You must also ensure that under
[ req ] you have
distinguished_name = req_distiguished_name set (it is default in most distros). For more information on openssl's configuration, see my openssl configuration page.
You can also add requested extensions to your CSR by scrolling down to the
[ v3_req ] section of your openssl.cnf and adding extensions and their values as you see fit. You must also make sure that under the
[ req ] section of your openssl.cnf you have
req_extensions = v3_req set, or your changes to the
[ v3_req ] section won't have any effect. See my my extensions page and openssl configuration page for more details on those subjects.