OpenSSL Command Generator — Free CSR & Private Key Builder

Visually build the exact openssl req command for generating a CSR and private key with full Subject and Subject Alternative Name support. RSA, ECDSA, Ed25519 — copy-pasteable, ready to run on your server.

Certificate Subject

Common Name (CN) *

Country (C)

State / Province (ST)

Locality / City (L)

Organization (O)

Organizational Unit (OU)

Email (optional)

Subject Alternative Names (comma-separated)

Key File

CSR File

Simple Command (no SAN)

openssl req -new -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=US/ST=California/L=San Francisco/O=Acme Inc/OU=IT/CN=example.com"

SAN-enabled Command (-addext)

openssl req -new -nodes -newkey rsa:2048 \
  -keyout server.key \
  -out server.csr \
  -subj "/C=US/ST=California/L=San Francisco/O=Acme Inc/OU=IT/CN=example.com" \
  -addext subjectAltName=DNS:example.com

Config-file Form (older OpenSSL)

# 1. Save the following as san.cnf
[ req ]
default_bits       = 2048
distinguished_name = req_dn
req_extensions     = req_ext
prompt             = no

[ req_dn ]
C  = US
ST = California
L  = San Francisco
O  = Acme Inc
OU = IT
CN = example.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = example.com

# 2. Run the openssl command
openssl req -new -nodes -newkey rsa:2048 \
  -keyout server.key \
  -out server.csr \
  -config san.cnf

What is the OpenSSL Command Generator?

An OpenSSL command generator is a visual builder that turns a form (Common Name, Organisation, SANs, key type) into the exact openssl req shell command you should run on your server to produce a Certificate Signing Request and a fresh private key. The command is generated in your browser and never executed here — you copy it and run it yourself, keeping the key on the host where it belongs.

Hand-typing the openssl req -new -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=US/..." -addext "subjectAltName=DNS:..." incantation is an error-prone art. Forgotten SANs, mismatched -pkeyopt for ECDSA, the -nodes-vs-passphrase confusion, and the leading-slash format of the -subj string all bite even seasoned ops engineers. This generator gets the syntax right every time.

How to generate an OpenSSL CSR command — 4 steps

Fill the subject. Common Name is the primary FQDN; Country is a 2-letter ISO code; Organization should match what the CA will display.
Add SANs. Comma-separated list of every hostname or IP the cert must cover. Modern browsers validate against SAN, not CN, so include the CN here too.
Pick a key type. RSA 2048 for legacy compatibility, RSA 4096 for long-lived roots, ECDSA P-256 for modern best-practice, Ed25519 for greenfield internal services.
Copy & run. Paste the command into a terminal on the server. Two files appear: server.key (chmod 600 immediately) and server.csr (paste the contents into your CA dashboard).

Sample output

# One-line form (OpenSSL 1.1.1+, single SAN)
openssl req -new -nodes -newkey rsa:2048 \
  -keyout server.key -out server.csr \
  -subj "/C=US/ST=California/L=San Francisco/O=Acme Inc/OU=IT/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

# Verify the CSR
openssl req -in server.csr -noout -text | grep -A1 "Subject Alternative"

# Resulting files
-rw------- 1 root root 1704 Apr 30 12:34 server.key
-rw-r--r-- 1 root root 1090 Apr 30 12:34 server.csr

Exact CLI Output

Outputs the openssl req command line you paste straight into a terminal — both the modern -addext form and the legacy config-file form.

Every Key Type

RSA 2048/4096, ECDSA on P-256 and P-384, and Ed25519. The flags differ between key types — the generator picks the right one for you.

Key Stays on Server

No private key is created here. The command runs on your host so the key never crosses a network or browser tab.

Common use cases

check_circleGenerating a CSR for Let’s Encrypt, DigiCert, Sectigo, GlobalSign, or any commercial CA
check_circleRenewing an expiring certificate with the same Subject and SAN list
check_circleMigrating a legacy RSA cert to ECDSA without changing hostnames
check_circleCreating a multi-SAN cert that covers root + www + api subdomains
check_circleBuilding a wildcard CSR (*.example.com) for DNS-01 issuance
check_circleProducing a CSR for an internal CA or HashiCorp Vault PKI mount
check_circleStandardising openssl invocations across an SRE team via a shared form
check_circleTeaching new engineers the -subj, -addext, and -newkey flag layout

Why generate the command instead of the key?

Generating a private key inside a browser tab puts it at the mercy of every script, extension, and devtools session that touches the page. Even with the Web Crypto API available, the right place to mint a TLS key is on the host that will use it — the kernel CSPRNG, hardware token, or HSM there is part of an audited boundary. By emitting the openssl req command and asking you to run it yourself, this tool guarantees the key never exists outside that boundary. The CSR (which contains only the public key plus identifying data) is the only artefact that needs to travel — paste it into your CA.

Privacy & security

This generator never receives or transmits a private key. The command it produces is the only output, generated entirely in JavaScript on your device. Decoders only parse public information. We never see private keys.

Need other SSL/TLS helpers?

Pair the command generator with the rest of OpenFormatter's browser-side SSL tooling — decode CSRs and certs, generate self-signed certs, and emit Mozilla-compliant TLS configs.

CSR Decoder SSL Certificate Decoder SSL Config Generator

Frequently Asked Questions

Why generate the command instead of the key here?

Generating the private key in a browser tab is risky — extensions, cached pages, and screen-sharing tools can leak it. The right place to create a key is the host that will use it (your server, a hardware token, or a CA gateway). This tool builds the exact openssl req command you should run there, so you keep custody of the key from the moment it exists.

What is a CSR?

A Certificate Signing Request (CSR) is a PEM-encoded blob containing your public key and identifying information (Common Name, organisation, country, SANs) that you send to a Certificate Authority. The CA verifies you control the names listed and signs a certificate that binds them to your public key. The corresponding private key never leaves your server.

What are SANs?

Subject Alternative Names extend a certificate to cover multiple hostnames (example.com, www.example.com, api.example.com) or IP addresses. Modern browsers ignore the legacy CN field and validate strictly against SANs, so every CSR for a public site must include a subjectAltName extension — even if there is only one hostname.

RSA vs ECDSA — which to pick?

ECDSA (P-256) keys are smaller, faster on the wire, and offer equivalent security to RSA-3072 with about 1/10 the bytes. Most public CAs and modern browsers accept ECDSA happily. RSA-2048 remains the safest interop choice for old clients (Java 6, IoT firmware, legacy SMTP gateways). When in doubt, ship both — most servers can serve a dual cert chain.

Can I add wildcard SANs?

Yes — enter *.example.com in the SAN field. Public CAs allow one level of wildcard (*.example.com matches api.example.com but not foo.api.example.com). DV wildcard issuance requires DNS-01 validation; HTTP-01 cannot prove control of an arbitrary subdomain.

What does -nodes mean?

-nodes (no DES) tells openssl to write the private key in plain PEM rather than wrapping it with a passphrase. Web servers like nginx and Apache must read the key on startup, so an encrypted key forces an interactive prompt and prevents unattended reboots. If you need the key encrypted (e.g. backup), drop the -nodes flag and openssl will prompt for a passphrase.

How do I add the SAN extension?

OpenSSL 1.1.1+ supports -addext "subjectAltName=DNS:example.com,DNS:www.example.com" inline. Older versions need a config file with [req_ext] subjectAltName=@alt_names and a matching [alt_names] section. This generator emits both forms — pick whichever your openssl supports (run openssl version).

Where does the openssl command save files?

The -keyout and -out paths are relative to the current working directory of the shell that runs the command. Run the command from the directory you want the key and CSR to land in (often /etc/ssl/private and /etc/ssl/csr respectively). Set restrictive permissions (chmod 600 server.key) immediately after generation.