A Certificate Signing Request (CSR) is an encoded message sent from an applicant to a Certificate Authority (CA) such as SSL.com to apply for a digital certificate. It contains information that will be included in the certificate, such as the organization name, common name (domain name), locality, and country, as well as the public key that will be included in the certificate.
When you create a CSR, you are essentially requesting a trusted CA to issue a digital certificate that verifies the identity of your website or organization. The CSR is signed with the corresponding private key, which proves that you possess the private key and ensures the integrity of the CSR data.
The CSR format is specified by the PKCS #10 standard, which defines the syntax for certification requests.
Purpose of a CSR:
- Authentication: The primary purpose of a CSR is to provide the necessary information to a CA to issue a digital certificate. The CA verifies the information in the CSR and, if approved, issues a signed certificate that authenticates the identity of the requester.
- Encryption: The CSR holds the public key for the certificate that will be issued. This key is used to encrypt sensitive information during SSL/TLS communication, ensuring secure data transmission between a client and a server.
- Integrity: The CSR is signed with the corresponding private key, ensuring the integrity of the data contained within the CSR. This signature also proves that the requester possesses the private key associated with the public key in the CSR.
CSR Generation Process
- Key pair generation: The applicant generates a public-private key pair using a cryptographic algorithm (e.g., RSA, ECC). The private key is kept secure by the applicant, while the public key is included in the CSR.
- CSR creation: The applicant creates a CSR file that includes the public key and other identifying information, such as the common name, organization, and locality. The CSR is typically encoded using Base-64, a standard format for representing binary data in ASCII text.
- CSR submission: The applicant submits the CSR to a trusted CA for verification and certificate issuance.
- Verification and issuance: The CA verifies the information in the CSR and, if approved, issues a signed digital certificate that includes the public key from the CSR.
- What information is included in a CSR?
The set of identifying information entered when creating a CSR is known as the Subject DN (Distinguished Name). For example, a CSR for an SSL/TLS certificate may contain the following fields:
- Common Name (CN): The Fully Qualified Domain Name (FQDN) of the website the certificate is intended to protect.
- Organization (O): The name of a company or organization.
- City/Locality (L): The name of a city or town.
- State/Province (S): The name of a state or province.
- Country (C): A two-letter country code.
- Email Address (E): An email address associated with the certificate request.
Note that only the Common Name field is required by SSL.com when submitting a CSR for an SSL/TLS certificate, and the others are optional. For more information about the Common Name, please refer to this FAQ. A CSR also contains a public key, and may include SAN entries with additional domain names to be protected by the certificate.
What does a CSR look like?
A CSR is typically encoded using Base-64, a standard format for representing binary data in ASCII text. The base-64 encoded CSR will look like a long string of random characters, similar to the example below:
-----BEGIN CERTIFICATE REQUEST----- MIIC3DCCAcQCAQAwgZUxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEQ MA4GA1UEBwwHQnVmZmFsbzEVMBMGA1UECgwMRXhhbXBsZSBDb3JwMRswGQYDVQQD DBJ3d3cuZXhhbXBsZWNvcnAuY29tMSkwJwYJKoZIhvcNAQkBFhpqb2huLmRvZUBl eGFtcGxlY29ycC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDI Xm5nxIO8BQC/kFF6QVPGTKxJch+fUUI3y4TfEPXpsJItVhvb33B8ShlOz9usqzL+ f0NVIMMhJZVSfsTRjD6VJSSHj2XlqXQYKJ0Cw7c1x571sSM6LaPg/27TzdBs+YFH PXdYSKZfPjXyxEKDkilSIFgJ8bEVcB6Kr0oN4Zh75HrFXQrEf+rHX2o6ynOcGdVR k4mXJK4w7zFcc+Xs8Qf73/0tnLd/yMqUJVEpLHQCMWPPK8/M6S0rEP10Csfg5Rdv H7Z79gfmO/5JDn1q8+eIplZSmuEbwdGhbiz/UXyQkhlN2fFqzepTrB1+UcMpgnpD 4Zmh3ABbiVX8w/Gh941JAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAcdIfbPXw A57RGLF1ARjX7BmsHjrxzJhL9zLu/cHyZwTkyLvFpExsYPXcSNVhZzvzvwL40HDJ lFEOUDTHFHC0uO27d0pdYzVh7yfC+pgpcxBAiV+pgDgguXCGkcQft44zTv2RLeUp uoXihz0hNnW3OQtSszTrdhOoTeKR0FIC0al9wMe0+BrJOYSMkQQE5bO1OPM3foUi jp+Nj0JjW4KxGAqozTYRmBH+rQCDt7r94fPRB8TImFCWaFhRoVFcjTqpSjDCFLKg g6NlSJWB2gXpRs3aUJtd+4JCDLNz5cxC9Hhs7eQaJFtdJw/nLzrcUB/TSTZjVQua oYg9qEohynx0kQ== -----END CERTIFICATE REQUEST-----
Creating a CSR
To create a CSR, you will first need to generate a private key. Many web servers and runtime environments, such as Internet Information Services (IIS), have CSR generation capabilities built in. Another way to generate a private key is to use the OpenSSL command line tool.
Once you have generated a private key, you can use it to create a CSR file. The CSR file can also be generated using the OpenSSL command line tool.
To verify the critical information within your CSR, use our CSR Decoder before submitting it for an SSL certificate.
After generating and verifying the CSR, you must submit it to a Certificate Authority (CA). The CA will use the information in the CSR request to create an SSL/TLS certificate for your website.
Installing the Certificate
Upon receiving the SSL/TLS certificate from the CA, the next step is to install it on your server. The exact installation process may vary depending on the server type and software used, but generally involves copying the certificate files to the server and configuring the server to use the SSL/TLS certificate by updating the relevant configuration files and restarting the server.
In Summary
A CSR is an essential component of the digital certificate issuance process. It provides the necessary information to a CA to verify the identity of the requester and issue a signed certificate that enables secure communication between clients and servers. By understanding the purpose, content, and generation process of a CSR, you can ensure a smooth and secure certificate issuance experience. For a detailed explanation of how to generate a CSR manually with OpenSSL commands, refer to our informative guide.