Skip to main content

How to Create a CSR?

Mihail Podtykalenko
Updated

A CSR (Certificate Signing Request) is a block of encoded text that is submitted to a Certificate Authority (CA) when requesting an SSL certificate.

The CSR is usually generated on the server where the certificate will later be installed. It contains information that will be included in the certificate, such as:

  • organization name

  • domain name (Common Name / CN)

  • locality

  • country

It also contains the public key that will be embedded in the certificate.

When generating a CSR, a private key is created at the same time, forming a key pair (public key + private key).

In the following steps we will use OpenSSL to generate the private key and the CSR.

Step 1 — Generate a Private Key

Run the following command:

openssl genpkey -algorithm RSA -des3 -out private_demo.key -pkeyopt rsa_keygen_bits:4096

⚠️ Important

Store the generated private key in a secure location.
Do not share this file with anyone.

Step 2 — Create the CSR Configuration File

Create a configuration file (for example my_demo_csr.cfg) containing your company information.

Example:

oid_section = OIDs

[ req ]
distinguished_name = req_distinguished_name
prompt = no

[ OIDs ]
OrganizationIdentifierOID=2.5.4.97

[ req_distinguished_name ]
C = DE
L = Munich
O = TPP client
CN = website.clientpp.com
OrganizationIdentifierOID = PSDDE-NDGIT-{client-id}

Update the following fields according to your organization:

  • C – country code

  • L – locality (city)

  • O – organization name

  • CN – domain name

  • OrganizationIdentifierOID – organization identifier

⚠️ Important requirements

OrganizationIdentifierOID

Keep the format:

PSDDE-NDGIT-{client-id}

Replace {client-id} with:

  • your ID at the National Competent Authority (NCA)
    or

  • another unique identifier (for example your company name)

Example:

PSDDE-NDGIT-MyCompanyName

Common Name (CN)

Use the domain name only, without protocol.

Correct example:

website.clientpp.com

Incorrect example:

https://website.clientpp.com

The domain specified in CN must match the domain used in your redirect URIs.
If it does not match, API requests containing those redirect URIs will be rejected.

Step 3 — Generate the CSR

Run the following command:

openssl req -new -key private_demo.key -out demo.csr -config my_demo_csr.cfg

Possible OpenSSL Error

If you encounter the following error:

problem creating object OrganizationIdentifierOID=2.5.4.97
error:08064066:object identifier routines:OBJ_create:oid exists

this means that you are using a newer OpenSSL version where this OID is already included.

In that case, use the following simplified configuration file:

[ req ]
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
C = DE
L = Munich
O = TPP client
CN = website.clientpp.com
organizationIdentifier = PSDDE-NDGIT-{client-id}

After updating the configuration file, run the CSR generation command again.

Example of a Generated CSR

The resulting demo.csr file will look similar to the following:

-----BEGIN CERTIFICATE REQUEST-----
MIIEqzCCApMCAQAwZjELMAkGA1UEBhMCREUxDzANBgNVBAcMBk11bmljaDEnMCUG
...
-----END CERTIFICATE REQUEST-----

Submit the CSR

Once the CSR has been generated, please send it to our support team.

To do so:

  1. Go to our Help Center.

  2. Click Submit a request.

  3. Create a support ticket.

  4. Attach the generated CSR file to your request.

Our team will review your request and process the certificate issuance.

Optional: Additional Documents

If the information provided is not sufficient to verify your TPP status, we may request additional documentation.

Receive the Demo Certificate

After the review process is completed, we will send you a signed certificate.

You can then use this certificate to test your integration in the PSD2 Sandbox environment.

Related articles

Powered by Zendesk