What is a Certificate Signing Request (CSR)? Print

  • CSR for SSL
  • 0

For those of you who are new to SSL/TLS, or even you veterans who just want to brush up on your knowledge, we’re starting a series on SSL basics.

First up are certificate signing requests (CSRs). These little files are a critical part of applying for an SSL/TLS certificate, but what are they exactly and how can you generate one?

CSR definition
A certificate signing request (CSR) is one of the first steps towards getting your own SSL/TLS certificate.

Generated on the same server you plan to install the certificate on, the CSR contains information (e.g. common name, organization, country) the Certificate Authority (CA) will use to create your certificate. It also contains the public key that will be included in your certificate and is signed with the corresponding private key. We’ll go into more details on the roles of these keys below.

What information is included in a CSR?
The CA will use the data from the CSR to build your SSL Certificate. The key pieces of information include the following.

1. Information about your business and the website you’re trying to equip with SSL, including:

 
Common Name (CN):  The fully qualified domain name (FQDN) of your server.

Organization (O) :The legal name of your organization. Do not abbreviate and include any suffixes, such as Inc., Corp., or LLC. For EV and OV SSL Certificates, this information is verified by the CA and included in the certificate.
Organizational Unit (OU) : The division of your organization handling the certificate.
City/Locality (L) : The city where your organization is located. This shouldn’t be abbreviated.
State/County/Region (S) : The state/region where your organization is located. This shouldn't be abbreviated.
Country (C) : The two-letter code for the country where your organization is located.
Email Address: An email address used to contact your organization.

2. The public key that will be included in the certificate. SSL uses public-key, or asymmetric, cryptography to encrypt transmitted data during an SSL session. The public key is used to encrypt and the corresponding private key is used to decrypt.  

3. Information about the key type and length. The most common key size is RSA 2048, but some CAs, including GlobalSign, support larger key sizes (e.g. RSA 4096+) or ECC keys.

What does a CSR look like?
The CSR itself is usually created in a Base-64 based PEM format. You can open the CSR file using a simple text editor and it will look like the sample below. You must include the header and footer

(-----BEGIN NEW CERTIFICATE REQUEST-----) when pasting the CSR.

-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----

How do I create a Certificate Signing Request (CSR)?
Generating the CSR will depend on the platform you’re using. We have a number of support articles with step-by-step instructions for doing this in the most popular platforms, including cPanel, Exchange, IIS, Java Keytool and OpenSSL.


Was this answer helpful?

« Back