> ## Documentation Index
> Fetch the complete documentation index at: https://developers.fireblocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://developers.fireblocks.com/feedback

```json
{
  "path": "/docs/generate-a-csr-for-an-api-user",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Create a CSR for an API user

# What is a CSR?

A Certificate Signing Request (CSR) is a file that contains your public key and some identifying information. Fireblocks uses the CSR to generate your API user's public key, which Fireblocks then uses to verify and authenticate your API calls.

# Before you begin

Make sure you have the following:

* Access to a machine where you can run OpenSSL or similar tooling
* A secure location to store your private key

# Step 1: Create the private key & CSR files

## Using OpenSSL (recommended for most users)

Open your terminal or command line and run the following command to generate a private key and CSR:

<CodeGroup>
  ```bash bash theme={"system"}
  openssl req -new -newkey rsa:4096 -nodes -keyout api_private.key -out api_user.csr
  ```
</CodeGroup>

### What this does

* Creates a private key file: **api\_private.key**
* Creates a CSR file: **api\_user.csr**

<Warning>
  ### Security reminder

  *Never* upload or share the **api\_private.key** file. Store it securely using a Key Management System (KMS), HSM, or encrypted file storage.
</Warning>

# Step 2: Fill in the CSR details

When prompted, complete the following fields:

| Field                    | Description                                                  |
| ------------------------ | ------------------------------------------------------------ |
| Common Name (CN)         | Your name or the API user's name (e.g., John\_the\_API\_Guy) |
| Organization (O)         | Your organization's name                                     |
| Organizational Unit (OU) | Optional field (e.g., API Team)                              |
| Country (C)              | Two-letter country code (e.g., US)                           |
| State (ST)               | Your state or province                                       |
| Locality (L)             | Your city                                                    |

# Step 3: Upload the CSR file

* In the Fireblocks Console, [follow these steps to create an API user](https://support.fireblocks.io/hc/en-us/articles/4407823826194-Adding-new-API-Users#h_01HHHT468Y7RFAP3E5DNJYHHZZ). Note that only Admin-level workspace users (Owner, Admin, and Non-Signing Admin) can create API users.
* Upload the **api\_user.csr** file in the **CSR File** field.

<Warning>
  ### Warning

  Do *not* upload your private key! Keep the **api\_private.key** file secure for signing API requests later.
</Warning>