parallax background

Certificate Signing Request (CSR)

What is CSR and what do you need it for?

If you already know the basic steps related to the certificate request and need server-specific instructions, you can go directly to Entrust's help page with the button below or choose the correct environment type from the list in the bottom of this page.

F5 BIG-IP Loadbalancer (version 11.3.0)
1. Start the F5 BIG-IP web user interface.
2. On the Main tab, click System, select File Management, and then select SSL Certificate List
3. A list of existing certificates will appear.
4. Click Create in the upper right corner of the screen.
5. In "General Properties", insert a name to the certificate. This will be used in the future to identify the certificate in the system.
6. Under "Certificate Properties", enter the following information:
  • Issuer: Certificate Authority (your own CA, e.g. Entrust)
  • Common name: Server's FQDN (fully-qualified domain name) (for example,, or *
  • Division: for example ICT
  • Organization: The official, registered name of the company or organization.
  • Locality, State or Province, Country: Municipality/City and country where your organization is located. The country code is e.g. "FI"
  • E-mail Address: Here it can be good to use e.g. generic emails, such as,, tai ("" should be replaced with the information of the domain to be searched and the email address should be a valid email address).
  • Challenge Password, Confirm Password: Password for the CSR.
7. "Key Properties", select 2048. The size of the keys used today is at least 2048, smaller values ​​are no longer accepted.
8. Click Finished.
9. The text of the certificate request is displayed. Copy the full text to a file or download the request file to save the CSR.
10. Click Finished.

As a result of this, you should have a CSR file, i.e. a certificate request, with which you can submit a certificate application to your certificate provider. This is a normal text file, you can copy its content to e-mail or directly to the field reserved for it in your certificate provider's system. Once your certificate is delivered, you can install it.

Please note that when making a certificate request, a Private Key corresponding to the certificate is created for the device where the above command is run, without which the certificate will not work. The certificate can therefore be installed specifically on the device where the certificate request was made. In some cases, it is possible to export both the certificate and its Private Key as a package and copy it to another device.
OpenSSL (Apache, NGINX)

Generating a CSR with the OpenSSL tool

Entrust utility for generating OpenSSL command

1. Log in to the server, a terminal (Unix/Linux) or a Command Prompt (Windows).
2. Type the following command: openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
3. OpenSSL asks for the necessary information for the certificate. Mandatory information is considered to be the COUNTRY (two-character abbreviation) where the certificate will be used, the name of the organization as it is entered in the trade register, the COMMON NAME (CN), i.e. the name of the service that you want to certify, for example:

Country codes can be found here.
Microsoft IIS
Microsoft IIS 8
(Windows 2012 Server/IIS 8.x, English server version)

1. Käynnistä IIS Manager ja etsi "Connections panelista", palvelin jolle varmennepyyntö halutaan tehdä.

2. From the server "Home page", under the IIS section, select by double-clicking"Server Certificates".

3. "Actions menu", choose: "Create Certificate Request".

4. "Request Certificate wizard" will start and asks you to enter the following information:
  • Common name: Server's FQDN (fully-qualified domain name) (for example,, tai *
  • Organization: The official, registered name of the company or organization
  • Organizational unit: for example "ICT"
  • City/locality
  • State/province
  • Country/region: country code (two-character abbreviation)
5. "Cryptographic Service Provider Properties" page, enter the following information and then click "Next"
  • Cryptographic service provider: Choose from the list "Microsoft RSA SChannel Cryptographic Provider" (unless for some reason you want to use some other encryption method).
  • Bit length: Select 2048 from the list, unless for some reason you want to use another key length. This is the smallest RSA value acceptable today, although you may still see e.g. 1024 key lengths in some services. A certificate for a smaller RSA key length can no longer be issued.
When entering the file name, note that unless you select a path (button with three dots ...), the CSR file is saved by default to folder C:\Windows\System32" .

6. Click "Finish"

MMC (Microsoft Management Console)/ Windows 8

Entrust's instructional video

1 What do I need a CSR for?
A CSR (Certificate Signing Request) is needed so that your certificate provider can generate the certificate you need. The CSR contains the public key of the certificate and acts as a counterpart to the Private Key generated when creating the CSR.
2Can the CSR be done elsewhere than on the target server?
Yes. In principle, CSR can be done with any device, but in this case the Private Key generated during creation must be transferred separately to the installation target, where the risk lies. It is most recommended to create a CSR on the same server as the one on which the certificate is being installed.
3I want to check the CSR I created. How do I do that?
There are tools for checking the CSR on the web from several different websites. Entrust also offers its own solution for this, which can be found behind this link.

With this example, you can test the functionality of the tool. Copy the following in its entirety:

4Does my certificate provider also need the Private Key formed with the CSR?
No. The Private Key should be kept safe in a secure location and should not be shared with anyone. When the CSR is generated directly on the server, the Private Key is often automatically left on the server.
5Where can I find instructions for creating a CSR?
Entrust has put together server-specific instructions on creating a CSR on its website. You can access their instructions here. Choose the right server type from the list and click "View" for this in the "CSR Guide" column.
parallax background

Requesting a certificate

The organizational identity included in the certificate requires a carefully audited verification process, for which you will receive more detailed instructions from your certificate supplier. With the verifications up to date, the certificate application process is simplified as follows: The certificate application (CSR) is made on the server, and in connection with this, a secret and a public key are formed. The public goes with the certificate request to the certifier (Entrust), who checks the legitimacy of the request. The certifier sends back an SSL/TLS certificate, which contains e.g. public key. The SSL/TLS certificate is installed on the web server and is locked with a secret key.

Note The Private Key formed during the creation of the CSR must be kept in a secure environment and must not be shared with others, not even with the certificate provider.

parallax background

Instructions for creating a CSR

Server-specific instructions for selected environments

Below you will find links to server-specific CSR creation instructions for Entrust's website.
The instructions behind the links are in English.


parallax background