Generate Customer Signed Certificate on Linux

This is a quick post to list the steps about generating the Customer Signed Certificate by using openssl on Linux platform (Take CentOS as an example).


The basic knowledge of CA can be referenced at below Wiki page:


  • Step 1: Create a customer folder to store the customer private key, CSR and certificates.
cd /etc/pki/tls/
mkdir customercert
cd customercert


  • Step 2: Generate an openssl.cnf file.
vi openssl.cnf

Edit the openssl.cnf as per below example. In this example, the Subject Alternative Names (IP and host short-name) are also included.

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                = AU
stateOrProvinceName        = QLD
localityName               = Brisbane
organizationName           = MyCompany Inc.
commonName                 =

[ req_ext ]
subjectAltName = @alt_names

DNS.1   = TestServer01
DNS.2   =

Save the openssl.cnf file.


  • Step 3: Generate the CSR (Certificate Signing Request) and private key
openssl req -out TestServer01.csr -newkey rsa:2048 -nodes -keyout TestServer01private.key -config openssl.cnf

The expected output is as below:

Generating a 2048 bit RSA private key
writing new private key to ‘TestServer01private.key’

Two files (TestServer01.csr and TestServer01private.key) will be generated if command can run successfully. Before sending the CSR to CA admin in your organization, verify the key with below command.

openssl req -noout -text -in TestServer01.csr


  • Step 4:  CA Admin issue the certificate

Now, you can send CSR file (TestServer01.csr in this example) to CA admin, CA admin will utilize the CSR to issue the certificate file back. Once you received the certificate file, you can install the certificate with private key as per the instruction of application (web service for example).

Leave a Reply