Certificate Signing Requests

📘

Tip

If you're unsure about creating certificates, consider using Aptible's Managed TLS feature.

If you'd like to use a Custom Certificate with your Endpoints, you will need to generate a CSR, or Certificate Signing Request.

The CSR is a file containing information about a SSL / TLS certificate you'd like a CA (Certification Authority) to issue.

You can generate a new CSR using OpenSSL's, openssl req command:

openssl req -newkey rsa:2048 -nodes \
        -keyout "$DOMAIN.key" -out "$DOMAIN.csr"

Store the private key (the $DOMAIN.key file) and CSR (the $DOMAIN.csr file) in a secure location, then request a certificate from the CA of your choice.

Once your CSR is approved, if the CA asks what certificate format you prefer, request an "NGiNX / other" format.

If you are unsure which certificates, private keys, and CSRs match each other, you can compare the hashes of the modulus of each:

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in "$DOMAIN.key" | openssl md5
openssl req -noout -modulus -in "$DOMAIN.csr" | openssl md5

If the hashes are identical, that means the files match.

📘

Tip

You can reuse a private key and CSR when renewing an SSL / TLS certificate, but from a security perspective, it's often a better idea to generate a new key and CSR when renewing.