Let's assume that you are creating a certificate for a domain "www.mydomain.cz". Typically, you create a private key and a Certificate Signing Request (CSR) on a Unix system by running the following command:
$ openssl req -new -sha256 -newkey rsa:2048 -nodes -out www.mydomain.cz.csr -keyout www.mydomain.cz.key
Generating a 2048 bit RSA private key
writing new private key to 'www.mydomain.cz.key'
Country Name (2 letter code) [XX]: CZ
State or Province Name (full name) : Hlavni mesto Praha
Locality Name (eg, city) [Default City]: Prague
Organization Name (eg, company) [Default Company Ltd]: Webhosting & Son ltd.
Organizational Unit Name (eg, section) : Tech Department
Common Name (eg, your name or your server's hostname) : www.mydomain.cz
Email Address : firstname.lastname@example.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
The request is now located in the file www.mydomain.cz.csr. The www.mydomain.cz.key file contains a private key - please keep it safe and confidential.
If you are creating a request for a wildcard certificate, enter an asterisk (*.mydomain.cz) in the "Common Name" field. The certificate for the domain www.mydomain.cz will also be valid for the name mydomain.cz - but this does not apply to CSRs for other subdomains, e.g.:
- CSR for www.mydomain.cz - certificate will be valid for mydomain.cz and www.www.mydomain.cz
- CSR for mydomain.cz - certificate will be valid for mydomain.cz and will not be valid for www.mydomain.cz
- CSR for www.shop.mojedomena.cz - certtificate will be valid for www.shop.mydomain.cz and will not be valid shop.mydomain.cz
- CSR for *.mojedomena.cz - wildcard certificate will be valid for mydomain.cz, shop.mydomain.cz, www.mydomain.cz, ... and will not be valid for www.shop.mydomain.cz
When filling in the CSR do not use diacritics, in case of IDN domain first convert it e.g. using the tool https://www.punycoder.com/
For more tutorials on creating CSRs for different servers (Microsoft IIS, Exchange, ...
) please visit https://www.digicert.com/kb/csr-creation.htm
The Certification Authority usually requires confirmation of domain ownership via a link sent to the email email@example.com (you can choose from the following mailboxes: admin, administrator, hostmaster, postmaster, webmaster). Therefore, make the mail services for one of these addresses available on the server. Another validation option is to place the requested text at http://www.mydomain.cz/.well-known/pki-validation/fileauth.txt.