OpenSSL – Generate Certificate Signing Request (VPN Example)


  • Step 1 – Install Open SSL “sudo dnf -y install openssl”
  • Step 2 – Generate a private key “openssl genrsa -out 4096”
  • Step 3 – Generate the CSR using the key we have just generated
    “openssl req -new -key -out -subj “/C=GB/ST=County/L=City/O=Customer /OU=IT services/” -addext “,””
  • Step4 – Profit

What is this for?

This post will talk you through how to generate a Certificate Signing Request (CSR) using OpenSSL running on Fedora.

System Setup:

Operating System:
Fedora Remix

Virtual Box

Getting down to business…

Okay so we first need to have a Fedora Linux installation avaliable. These commands will probably work nicely with other distros but this example has been run on Fedora. If you dont have a Fedora install to hand why not configure WSL using this guide.

If we dont already have openssl install lets get it installed using the following command.

sudo dnf -y install openssl

Once installed we can move into our home directory (cd = change directory) of windows to make getting the files later easier. In my example below I also make a new folder (mkdir = make directory) to store the files in and then change into this new directory.

cd winhome/Documents/

We can now generate a private key file. To do this we use the following command.

openssl genrsa -out 4096

If you now check in your Documents\ folder you will see the newly generated private key file.

Now we have a private key we need to generate a Certificate Signing Request (CSR). There is a way to save all this information into a file however I am trying to keep this quick and simple, so I am not going to show this today. To generate the CSR start off by coping the below command into a text file and editing as required. You will need to update the “County” etc in the subject element to ensure they are correct for you use case. Also note that I create subject alternative names. I normally configure VPN appliances with the subject alternative names such as “” and “” etc. I then configure the client using “”. This then gives me the ability to do tricks in the middle with DNS to route the clients to “active” or geographically closest appliance. Even if you don’t have this capability yet, still sign your certificates like this as it gives you options in the future!

openssl req -new \
     -key \
     -out \
     -subj "/C=GB/ST=County/L=City/O=Customer /OU=IT services/" \
     -addext ","

Now we can check our Documents\ folder and we will find the CSR that we need to take to the certificate authority to get signed.


Leave a Reply

Your email address will not be published. Required fields are marked *