× SSL247 joins forces with Sectigo CA - Find Out More...
Our accreditations and awards:
0 items Total £0.00

Knowledge Base



NOTE: To generate a CSR, a key pair must be created for the server. These two items are a digital certificate key pair and cannot be separated. If the public/private key file or password is lost or changed before the SSL certificate is installed, the SSL certificate will need to be re-issued. The private key, CSR, and certificate must all match in order for the installation to be successful.

NOTE: The following ECC name curve is supported: Key type: named curve NIST P-256, aka prime256v1.

To generate the correct ECC parameter, name curve prime256v1, & SHA-256 signature algorithm OpenSSL ver. 1.0.1g. must be used.

1.Generate Private Key for ECC
  • The utility "openssl" is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If the utility was installed elsewhere, these instructions will need to be adjusted accordingly.
  • Type the following command at the prompt: openssl ecparam -out privatekey.key -name prime256v1 -genkey

NOTE: Because the native KEY is generated by OpenSSL, it has an EC parameters block above the key. It will need to be converted to a PEM format, which can be done manually by removing the
“-----BEGIN EC PARAMETERS----- … -----END EC PARAMETERS----- “ block or running it through openssl to convert it to a PEM format.

This is a MUST otherwise the installation will not work. It will pass Apache’s test but will ultimately fail.

2. Generate Certificate Signing Request (CSR)
  • Type the following command at the prompt:openssl req -new -key privatekey.key -out request.csr -sha256

NOTE: If using openSSL on Windows, you may need to specify the path to openssl.cnf such as the following: openssl req -new -key privatekey.key -out request.csr -config "c:\OpenSS-Win64\bin\openssl.cnf

This command will prompt for the following X.509 attributes of the certificate:

  • Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
  • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
  • Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
  • Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
  • Organizational Unit (OU): This field is the name of the department or organization unit making the request.
  • Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com"

NOTE: Please do not enter an email address, challenge password or an optional company name when generating the CSR.

A public/private key pair has now been created. The private key (www.domain.com.key) is stored locally on the server machine and is used for decryption.

The public portion, in the form of a Certificate Signing Request (certrequest.csr), will be for certificate enrollment.

To copy and paste the information into the enrollment form, open the file in a text editor such as Notepad or Vi and save it as a .txt file. Do not use Microsoft Word as it may insert extra hidden characters that will alter the contents of the CSR.

NOTE:: If you are generating an Apache CSR for a Wildcard SSL Certificate, your common name should start with an asterisk (i.e. *.example.com).

This creates your openssl.csr file. After you receive your ECC SSL Certificate from us, you can install it.