Table of contents

Generate a Certificate Signing Request (CSR) for GOV.UK

This page was imported from the opsmanual on GitHub Enterprise. It hasn’t been reviewed for accuracy yet. View history in old opsmanual

When buying an SSL certificate for a GOV.UK domain, a certificate signing request is required.

Generating the CSR

Execute the following on a POSIX-compliant machine, for example your Mac:

DOMAIN_NAME=example.service.gov.uk sh -c 'openssl req -nodes -newkey rsa:2048 -keyout ${DOMAIN_NAME//[^a-zA-Z0-9]/_}.key -out ${DOMAIN_NAME//[^a-zA-Z0-9]/_}.csr -subj "/C=GB/ST=England/L=London/O=UK government/OU=Government Digital Service/CN=${DOMAIN_NAME}/"'

Be sure to replace the value ‘example.service.gov.uk’ set in the 'DOMAIN_NAME’ environment variable to the domain name the SSL certificate is intended for.

The contents of the .key file must be kept secret. You most likely will want to store its contents encrypted in the deployment repository.

The contents of the CSR should be shared with the SSL certificate provider. This allows them to generate the SSL certificate.

This page is owned by #2ndline and needs to be reviewed