How to generate a SSL Certificate Signing Request externally


This document provides steps to generate a Certificate Signing Request(CSR) outside of the GSA. The CSR can be generated from the admin console of the GSA. However in some cases you may prefer to generate the CSR outside of the appliance and get it signed by the CA. The most common use cases are:


  • Your Certificate Authority (CA) requires you to generate a CSR with larger than 1024 RSA key length.
  • You would like to keep a backup copy of the private key.



  • CA - Certificate Authority. CA is an entity that issues digital certificates for use by other parties. It is an example of a trusted third party. CAs are characteristic of many public key infrastructure (PKI) schemes.
  • CSR - Certificate Signing Request. CSR is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.
  • PEM - Privacy-enhanced Electronic Mail. The .pem file name extension is used for a Base64-encoded X.509 certificate.
  • GSA - Google Search Appliance.


You need to create a private key before generating the CSR. You need the Openssl tool to create the private key and the CSR. The following command creates 2048 bit private key that is neither encrypted nor password protected. These are the requirements for the GSA.

openssl genrsa  -out privkey.pem 2048




openssl req -new -key privkey.pem -out cert.csr

Sample output:

Country Name (2 letter code) (AU) :US
State or Province Name (full name) (Some-State):California
Locality Name (eg, city) ():Mountain View
Organization Name (eg, company) (Internet Widgits Pty Ltd):ESO
Organizational Unit Name (eg, section) ():FrontLine
Common Name (eg, YOUR name) ()
Email Address ():

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: 

Note : The Common name that you provide to generate the CSR must match the host name of the SSL server, in this case the host name of the GSA. Otherwise the browsers will pop-up a warning message when establishing a connection.


Send the CSR that you just generated to the CA and get it signed. The CA typically sends the Signed Server Certificate, a.k.a End Entity Certificate via email. It is usually in the Base64 encoded PEM format.
Note : For security reasons, you must not send the private key to the CA or anyone else for that matter. Keep your private key safe.


Follow the procedure documented in the Admin console online help guide

    • Generating the Private key
    • Generating the CSR
    • Submission of CSR for Signing
    • Installation of Signed Server Certificate



  1. Openssl - Most of the Linux distribution comes with this tool by default. Alternatively, you can download it from
Was this helpful?
How can we improve it?