diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9d0e757c..540a30bc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,8 @@
CHANGELOG
=========
+* Fix CSR generation bug by updating the `-subj` value passed to `openssl`, and changing the input order.
+
v0.26b (January 25, 2018)
-------------------------
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index 19d02dee..c6b5080f 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -556,7 +556,7 @@ def create_csr(domain, ssl_key, country_code, env):
"openssl", "req", "-new",
"-key", ssl_key,
"-sha256",
- "-subj", "/C=%s/ST=/L=/O=/CN=%s" % (country_code, domain)])
+ "-subj", "/C=%s/CN=%s" % (country_code, domain)])
def install_cert(domain, ssl_cert, ssl_chain, env, raw=False):
# Write the combined cert+chain to a temporary path and validate that it is OK.
diff --git a/management/templates/ssl.html b/management/templates/ssl.html
index 0cc4d59a..1ec93a32 100644
--- a/management/templates/ssl.html
+++ b/management/templates/ssl.html
@@ -57,12 +57,6 @@
If you don't want to use our automatic Let's Encrypt integration, you can give any other certificate provider a try. You can generate the needed CSR below.
-
Which domain are you getting a certificate for?
-
-
-
-
(A multi-domain or wildcard certificate will be automatically applied to any domains it is valid for besides the one you choose above.)
-
What country are you in? This is required by some TLS certificate providers. You may leave this blank if you know your TLS certificate provider doesn't require it.
+
Which domain are you getting a certificate for?
+
+
+
+
(A multi-domain or wildcard certificate will be automatically applied to any domains it is valid for besides the one you choose above.)
+
You will need to provide the certificate provider this Certificate Signing Request (CSR):