How to generate a CSR on Google Cloud platform

A Certificate Signing Request (CSR) can be generated right from your Google Cloud platform account. This can be done with the help of a built-in Command Line Console available in your account. It’s called “Google Cloud Shell”.

Cloud Shell is only available for the accounts that have a Project created. More information on how to enable Google Cloud Shell can be found here.

Once Cloud Shell is enabled, you are ready to proceed with the CSR generation. Click on the “Activate Google Cloud Shell” button from the top menu bar to open the console:


The console window will appear at the bottom of the page:

As provided on the screenshot, the console will open the current user’s home directory /home/user. A Certificate Signing Request can be generated in this directory or any other directory convenient for you. Run the following OpenSSL command to create a CSR:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

(*yourdomain should be replaced with your actual domain name).

The command will prompt entering the following contact data (use only English alphanumeric symbols while submitting the information):

  • Country Name (2 letter abbreviation should be used)
  • State or Province Name (should not be abbreviated)
  • Locality Name (city)
  • Organization Name (NA can be used if there is no Company related to the domain)
  • Organizational Unit Name (NA can be used if there is no Company related to the domain)
  • Common Name (domain or subdomain name you wish to secure. I.e,, or * for Wildcard certificates)
  • Email address (can be left blank).

Note: If you have a Multi-Domain certificate, additional domains or Subject Alternative Names (SANs) should be added during the certificate activation in your account.

A challenge password” and “An optional company name” should not be filled in order to avoid issues upon the certificate activation. Please skip these fields using “Enter” to leave them empty.

Once generated, you can see that the command produced two files: yourdomain.csr and yourdomain.key. These are the files that contain Certificate Signing Request and Private Key codes.

The CSR code including “-----BEGIN CERTIFICATE REQUEST---- and “-----END CERTIFICATE REQUEST----” tags should be pasted into the CSR box on the first step of the certificate activation in your account.

Additionally, you can verify the validity of the generated CSR code using this online CSR decoder.

The Private Key code starts with “-----BEGIN PRIVATE KEY-----” and ends with “-----END PRIVATE KEY-----” tags. This key should be used for the certificate installation once your certificate is activated and issued. Please make sure to save this file, since a Private Key generated with the CSR is the only key that will the match  certificate created from a CSR. The removal of the Private Key will lead to the certificate reissuance.

Powered by Zendesk