How to Create a CSR
For ordering a certificate, you need to create a CSR (Certificate Signing Request) on your server. You may create such an CSR by issuing the following command using OpenSSL.
openssl req -new -nodes -newkey rsa:2048 -sha256 -keyout www_example_com.key -out www_example_com.csr
Default Root Certificate for Symantec SSL Certificates
In order to comply with high security standards we introduced a bunch of further algorithms to choose from for certificate creation / renewal / reissue (Parameter: algorithm).
Important: Since December 1st 2017 all Symantec SSL certificates are issued via the Digicert PKI.
The default Root Certificate for SSL certificates of the Symantec family (Symantec / Thawte / Geotrust / RapidSSL) will be changed to Digicert’s SHA256 intermediate certificate with a SHA-1 RSA root certificate as of March 13th 2018 (Parameter: algorithm = SHA2-256).
Which root CA option should I use?
We recommend the default option "SHA2-256" (SHA-256 for the certificate and SHA-1 for the root CA) for most SSL certificate uses. Nearly all browsers and applications support the SHA-1 root CA, so most browsers and applications can connect to your site.
Note that using SHA-1 for the root CA is secure and compliant, because the root CA is verified by means other than the signature hash algorithm.
However, if your application or policy requires SSL certificates with a SHA-256 root CA, use the option "SHA256-FULL-CHAIN" that includes SHA-256 for the root CA.
For ECC CSRs you can also use "SHA256-ECC-FULL" or "SHA256-ECC-HYBRID".
For Symantec Secure Site Pro you can also use special algorithms as listed below.