How to Generate a CSR on Amazon Web Services (AWS)

How to Generate a CSR on Amazon Web Services (AWS)

SSL certificates are essential for various AWS products, including AWS Elastic Beanstalk, Elastic Load Balancing, CloudFront, and AWS OpsWorks. This article provides guidance on generating a Certificate Signing Request (CSR) suitable for these services.

CSR, which stands for ស្នើសុំចុះហត្ថលេខាលើវិញ្ញាបនប័ត្រ, contains encrypted information about the certificate applicant and the associated domain name.

Upon purchasing an SSL certificate, it’s necessary to activate the SSL and submit the CSR to the CA (Certificate Authority) during the process. The CA utilizes the CSR data for certificate validation.

An RSA Private Key is generated alongside the CSR, serving a vital role in data encryption. It’s crucial to safeguard the Private Key on the server to prevent compromise.

The following command-line tools are essential for certificate creation and uploading to AWS:

  • OpenSSL & ‧;: Used for generating Private Keys and CSRs.
  • PowerShell or cmd: Standard command-line tools for Windows servers.
  • AWS Command Line Interface (CLI): Enables certificate upload to AWS.

Two methods for generating CSRs are outlined below:

Generating CSR using OpenSSL

This option is normally used on Linux-based Amazon instances as they usually already have the required tool setup, or it is easy to set up. All commands should be run through either CLI or any third-party command line tool connected to your instance (for example, Putty, or Terminal app on MacOS and Linux).

នេះ កូនសោឯកជន is created first and then the CSR is generated based on it.

1) Run the following command to generate the key:

sudo openssl genrsa -out private.key 2048

ដែលជាកន្លែងដែល 2048 is a key size. If you do not specify the size, a 2048-bit key is generated.

You can specify any name for the key file (
private.key) to make it recognizable in case you have multiple SSLs stored on the server.

If you want to generate the SSL with an
អេឌីស៊ីស៊ី algorithm, you can use this command instead (this is just a recommended option — there are other setups you can use, too):

sudo openssl ecparam -genkey -name secp384r1 -out private.key -genkey

2) The CSR is generated based on the Private Key. The following command is used for the CSR creation:

sudo openssl req -new -key private.key -out csr.pem

2.1) Alternatively, you can use one command to generate the RSA Private Key and CSR:

sudo openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out csr.pem

The output will look similar to the following example:

You are about to be asked to enter information that will be incorporated into your certificate request.
អ្វីដែលអ្នកហៀបនឹងបញ្ចូលគឺអ្វីដែលគេហៅថា Distinguished Name ឬ DN។
There are quite a few fields, but you can leave some blank.
For some fields there will be a default value.
If you just press Enter, the field will be left blank.

2.2) The following information needs to be filled in. We strongly recommend filling in all the fields. A CSR with any blank fields can be rejected by our system or by the Certificate Authority.

ចំណាំ: សម្រាប់។ សុពលភាពអង្គការ (OV) or ពង្រីកសុពលភាព (EV) types of SSLs, make sure to use the correct legal company name. If it’s a reissued CSR, ensure the company details are the same as the ones used previously.

ចំណាំ: Please only use អក្សរក្រមលេខ characters. A CSR with special symbols, such as Ä or È, will not be recognized. Such special characters should be replaced with their analogs from the alphanumerics, such as A and E.

ឈ្មោះ​ប្រទេស: use a valid 2-letter country-code.
State of Province:  Use your state or Province name, or use the Locality name if you have none.
Locality name: use your city, town or other locality name.
ឈ្មោះ​អង្គការ: use your company/organization name or put NA (Not Applicable).
អង្គភាពរៀបចំ: use your unit or department name or put NA (Not Applicable).
ឈ្មោះទូទៅ: Fully qualified ឈ្មោះដែន name you need to secure: for example,

ចំណាំ: When filling in the ឈ្មោះទូទៅ field, it is important to remember that it should be the exact domain name you need to secure. It should look like,, or like, if you need to secure the subdomain.

For a Wildcard certificate the common name should be stated as * or *

អាស័យ​ដ្ឋាន​អ៊ី​ម៉េ​ល: Server administrator’s email address: for example, This email address will be fetched by the system as an administrative contact for the SSL certificate files to be sent to once the certificate is issued. You’ll be able to change it during the SSL activation as well.

Challenge password និង Optional company name are legacy fields and can be skipped.

Most certificates we provide secure both and automatically. However, if you have any doubts, we recommend checking the correct way to define your domain name for a particular certificate with our Support Team.

3) Run the following command to open the CSR file you’ve just generated:

cat csr.pem

In the output you will see the CSR in plain text. Copy the whole text starting with the “—–BEGIN CERTIFICATE REQUEST—–” line and use it for the certificate ការធ្វើឱ្យសកម្ម. Once the certificate is issued by the Certificate Authority, you can proceed with its ការដំឡើង.

The process is the same for all Linux distributions, including Amazon AMI Linux.

ចំណាំ: ប្រព័ន្ធប្រតិបត្តិការ Windows has a similar process which can be done ផ្លូវ​នេះ.

ព្រមាន: Please remember the following points before beginning the process:

Write down the directory where the CSR was generated, as the Private Key for the SSL will be saved there. You will need to know where the key is located in order to install the SSL.

If you are not sure which folder it is, you can check it with the pwd ពាក្យបញ្ជា:

find / -type f -name “*.csr”


find / -type f -name “*.pem”

(depending on what extension was used)

Generating CSR using PowerShell

This method is used on Windows-based machines as it already features the required command line tools, and a certificate request storage is created instead of a Private Key.

1) Create the configuration file example.inf (you can use any file name) on your Windows server with the CSR details following this example:

Subject = “/CN=*Common Name*/C=*Country*/ST=*State or Province*/L=*Locality or City*/O=*Company*/OU=*Organizational unit*”
Exportable = TRUE
KeyLength = *key size in bits*
KeySpec = 1
KeyUsage = 0xf0
MachineKeySet = TRUE

Replace all values marked with ‘**’ with your actual details.

2) Save it and run the following command in cmd or PowerShell:

certreq -new example.inf csr.txt

3) Open the file with any text editor (we use Notepad in this example as it is always present on Windows) or use the following command:

notepad csr.txt

ចំណាំ: If you plan to import the SSL using AWS certificate manager (ACM), it only supports 2048 and outdated 1024-bit keys.