Skip to main content





How to generate a CSR

  • Edit
    Collaborate with us
    Edit this page on GitHub
  • Sometimes you may need to request a new certificate or renew an existing one and your Certificate Authority (CA) will ask for a Certificate Signing Request (CSR) file in order to issue it. This article describes the options to generate a CSR.

    You don’t need to create the CSR in the OutSystems server. You can create it on another computer and keep the .CSR file for later use.

    A CSR can be generated in any computer as it contains information identifying the applicant to the domain certificate (and not the server), such as:

    • Country
    • State
    • Organization
    • Common name

    Domain certificates can be used in the servers of your choice as they are the property of the organisation that holds the private key. As a security best practice, private keys should be treated as confidential information.

    These instructions apply to both self-managed and OutSystems Cloud infrastructures and can be executed in any computer or in any of the available tools for the purpose.


    After completing this how-to you will have two files: one containing a private key, that you should keep in a safe location; and another one containing a CSR request that you should send to your CA.

    If you already have an SSL certificate and you wish to install it on your OutSystems environments, check instead:

    Steps to generate a CSR

    You can generate a CSR in multiple operating systems or tools and can chose the one that best suits you. Examples are:

    Using IIS

    One of the options to generate a CSR is to use Internet Information Services (IIS). Windows Servers already have IIS enabled by default, but if you are on a Windows computer where IIS is not enabled, you can enable it in the Control Panel.

    You must run all commands as a user with Administrator privileges

    1. On the Start menu, go to Windows Administrative Tools and click on Internet Information Services (IIS) Manager.
    2. At the left side, click on the server name.
    3. At the main window, double-click the Server Certificates icon in the IIS section in the middle.

      Server Certificates in IIS

    4. At the Actions menu on the right side, click on Create Certificate Request...

      Server Certificates in IIS

      The Request Certificate Wizard opens.

      Request Certificate in IIS)

    5. Enter the following information at Distinguished Name Properties:

      • Common Name - The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., or
      • Organization - The legally registered name of your organization/company;
      • Organizational unit - The name of your department within the organization (frequently this entry is "IT," "Web Security," or left blank).
      • City/locality - The city in which your organization is located.
      • State/province - The state in which your organization is located.
      • Country/region - The country in which your organization is located.
    6. Click Next.

    7. Enter the following information at Cryptographic Service Provider Properties:

      • Cryptographic service provider - In the drop-down list, select Microsoft RSA SChannel..., unless you have a specific cryptographic provider.
      • Bit length - In the drop-down list, select 2048 (or higher).

      Request Certificate in IIS)

    8. Click Next.

    9. In the File Name menu, click the ... button on the right side to browse the location where you want to save the Certificate Signing Request (a text file). If you enter a filename without browsing to a location, your CSR is stored in your computer’s default folder (for example, Documents).

      Remember the filename you choose and the location where you save it. You will need this file later when ordering a certificate from a Certification Authority.

      Request Certificate in IIS)

    10. Click Finish.

    11. Your Certificate Signing Request is complete. Keep the generated CSR file safe.

    Backing up your private key

    When you create a Certificate Signing Request, you generate a private key too. Perform the following steps to create a backup of this key:

    1. Click the Windows Start button, type mmc, and press the Enter key to run the Microsoft Management Console.
    2. Click Yes to allow this app to make changes to your device.

      Microsoft Management Console permissions

      The Microsoft Microsoft Management Console window opens.

      Microsoft Management Console window

    3. Go to File > Add/Remove Snap-in...

      Add or Remove Snap-ins

    4. Select Certificates and click Add. The Certificate snap-in window opens.

      Certificates snap-ins

    5. Select Computer Account and click Next >.

    6. Select Local Computer and click Finish.

      Select Computer

    7. Click OK to close the add/remove snap-in window.

    8. Expand the Certificates (Local Computer) entry on the left side.

      Expand the Certificates

    9. Go to Certificate Enrollment Requests, expand it, and select the Certificates entry.

      Certificate Enrollment Requests)

    10. At the center, right-click on your certificate and choose All Tasks > Export.

      Export Certificate Enrollment Request)

      The Certificate Export Wizard opens.

      Certificate Export Wizard)

    11. Click Next.

    12. Select the Yes, export the private key radio button, and click Next.

      Certificate Export Wizard)

    13. Select the Personal Information Exchange - PKCS #12 (.PFX) radio button and keep the default selected setting.

      Certificate Export Wizard)

    14. Click Next.

    15. Select the Password: checkbox and type a new password for the private key backup file.
    16. Re-type your password, and click Next.

      Certificate Export Wizard)

    17. Click on the Browse button, and browse the location where you want to save the private key Backup file.

    18. Type the name for the file. By default, it has a .pfx extension.

      Certificate Export Wizard)

    19. Click Next. A resume of the operation is shown.

      Certificate Export Wizard)

    20. Click Finish. A dialog box shows a confirmation message.

      Certificate Export Wizard finished)

    The certificate export is complete.

    Using OpenSSL

    OpenSSL can be used to generate a Certificate Signing Request (CSR). You can also refer to this tutorial instead.

    1. Open a terminal and browse to a folder where you would like to generate your keypair

    2. Input the openssl command with the following arguments to generate the private key and CSR request:

    Field Example
    Country Name US (2 Letter Code)
    State or Province Texas (Full State Name)
    Locality Dallas (Full City name)
    Organization Example Inc (Entity's Legal Name)
    Organizational Unit IT (Optional, e.g. a department)
    Common Name* (Domain or Entity name)


    You should now have a Private Key (privatekey.key) in PEM format, which should stay on your computer, and a Certificate Signing Request (CSR.csr), which can be submitted to a Certificate Authority (CA) to sign your public key.

    Other options

    There are several other options and tools to create a CSR. This guide, for example, offers a good collection of articles to generate a CSR in various platforms.

    • You can find here steps to create a CSR in macOS Keychain Access.
    • For Microsoft Azure users, you can find here the instructions to create a CSR in Key Vault.
    • Was this article helpful?