Certificate Signing Request (CSR) generation

A Certificate Signing Request (CSR) contains your public key and subject information, signed with your private key.

To enroll a certificate, submit the CSR to the enroll API endpoint. The API accepts a single-line Base64 PKCS#10 value.

The following shows two possible ways to generate a CSR:

• OpenSSL (Linux/macOS/Windows with OpenSSL)

# 1) Generate key + CSR (add SANs as needed)
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr \
  -subj "/C=CA/ST=Ontario/L=Ottawa/O=Example Corp/CN=www.example.com" \
  -addext "subjectAltName=DNS:www.example.com,DNS:example.com"

# 2) Convert CSR to a single-line Base64 PKCS#10 string
openssl req -in server.csr -outform DER | base64 | tr -d '\n'

• Windows (certreq)

# 1) Use your request.inf to generate a CSR:
certreq -new request.inf server.csr

# 2) Open server.csr, copy the Base64 body only, and remove all line breaks so it’s one line before sending it to the API. 

Further reading

• RFC 2986 — PKCS#10 CSR basics
• RFC 5280 — Subject Alternative Name
• OpenSSL: openssl req manual
• OpenSSL: x509v3_config (SAN examples)
• Windows: certreq command
• Java: keytool CSR (+ SAN example)