Editor's Note: This article was originally published in September 2017. As of 2024, it has been reviewed and updated in accordance with the latest standards/conventions for SSL/TLS.
For those of you who are new to SSL/TLS, or even you veterans who just want to brush up on your knowledge, we’re starting a series on SSL basics. First up are Certificate Signing Requests (CSRs). These little files are a critical part of applying for an SSL/TLS certificate, but what are they exactly and how can you generate one?
What is a Certificate Signing Request?
A CSR is one of the first steps towards getting your own SSL/TLS certificate. Generated on the same server you plan to install the certificate on, the CSR contains information (e.g. common name, organization, country) the Certificate Authority (CA) will use to create your certificate. It also contains the public key that will be included in your certificate and is signed with the corresponding private key. We’ll go into more detail on the roles of these keys below.
What information is included in a CSR?
The CA will use the data from the CSR to build your SSL Certificate. The key pieces of information include the following.
- Information about your business and the website you’re trying to equip with SSL, including:
Common Name (CN)
(e.g. *.example.com
www.example.com
mail.example.com)
The fully qualified domain name (FQDN) of your server.
Organization (O) The legal name of your organization. Do not abbreviate and include any suffixes, such as Inc., Corp., or LLC.
For EV and OV SSL Certificates, this information is verified by the CA and included in the certificate.
City/Locality (L)
The city where your organization is located. This shouldn’t be abbreviated.
State/County/Region (S)
The state/region where your organization is located. This shouldn't be abbreviated.
Country (C) The two-letter code for the country where your organization is located.
Email Address An email address used to contact your organization.
- The public key that will be included in the certificate. SSL uses public-key, or asymmetric, cryptography to encrypt transmitted data during an SSL session. The public key is used to encrypt and the corresponding private key is used to decrypt.
- Information about the key type and length. The most common key size is RSA 2048, but some CAs, including GlobalSign, support larger key sizes (e.g. RSA 4096+) or ECC keys.
Our advice is to keep the private key in a secure place and make sure to remember the passphrase for it.
What does a CSR look like?
The CSR itself is usually created in a Base-64 based PEM format. You can open the CSR file using a simple text editor and it will look like the sample below. You must include the header and footer (-----BEGIN NEW CERTIFICATE REQUEST-----) when pasting the CSR.
-----BEGIN NEW CERTIFICATE REQUEST-----MIIDVDCCAr0CAQAweTEeMBwGA1UEAxMVd3d3Lmpvc2VwaGNoYXBtYW4uY29tMQ8w DQYDVQQLEwZEZXNpZ24xFjAUBgNVBAoTDUpvc2VwaENoYXBtYW4xEjAQBgNVBAcT CU1haWRzdG9uZTENMAsGA1UECBMES2VudDELMAkGA1UEBhMCR0IwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAOEFDpnOKRabQhDa5asDxYPnG0c/neW18e8apjOk 1yuGRk+3GD7YQvuhBVS1x6wkw1D2RnmnZgN1nNUK0cRK7sIvOyCh1+jgD7u46mLk 81j+b4YSEmYZGPLIuclyocPDm0hXayjCUqWt7z6LMIKpLym8gayEZzz9Gn97PsbP kVFBAgMBAAGgggGZMBoGCisGAQQBgjcNAgMxDBYKNS4xLjI2MDAuMjB7BgorBgEE AYI3AgEOMW0wazAOBgNVHQ8BAf8EBAMCBPAwRAYJKoZIhvcNAQkPBDcwNTAOBggq hkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMH MBMGA1UdJQQMMAoGCCsGAQUFBwMBMIH9BgorBgEEAYI3DQICMYHuMIHrAgEBHloA TQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMA cgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIDgYkAk0kf HSkr4jsEVya3mgUoyaYMO456ECNZr4Cb+WhPgexfjOO5qwOG1oDOTaKycrkc5pG+ IPBQnq+4cotT8hWJQwpc+qGb8xUETpxco*khrhN5079vFXq/5dsHkmtOTwkSqSnz9 yruVoxYeDQ8jI3KG3HTgxwFto8oZnm+E+Y4oshUAAAAAAAAAADANBgkqhkiG9w0B AQUFAAOBgQAuAxetLzgfjBdWpjpixeVYZXuPZ+6jvZNL/9hOw7Fk5pVVXWdr8csJ 6JUW8QdH9KB6ZlM4yg8Df+vat1/DG6GuD2hiIR7fQ0NtPFBQmbrSm+TTBo95lwP+ ZSZTusPFTLKaqValdnS9Uw+6Vq7/I4ouDA8QBIuaTFtPOp+8wEGBHQ==
-----END NEW CERTIFICATE REQUEST-----
How do I create a Certificate Signing Request (CSR)?
Generating the CSR will depend on the platform you’re using. We have a number of support articles with step-by-step instructions for doing this in the most popular platforms, including cPanel, Exchange, IIS, Java Keytool and OpenSSL. You can find them here.
We have a comprehensive video covering the most common questions about generating a Certificate Signing Request (CSR). Watch it here:
If you prefer a more in-depth look at specific topics, check out these individual guides:
How to Create a CSR in Microsoft Management Console or MMC
How to Create a CSR in Java Key Store
How to Create a CSR in Apache OpenSSL
How to Create a CSR in IIS 10
In the world of online security, trust is paramount. This is where Certificate Signing Requests (CSRs) come into play. A CSR acts as a formal request to a Certificate Authority (CA) for an SSL/TLS certificate, the digital passport that verifies your website's identity and encrypts communication.
Let's delve deeper and understand how to get a CSR certificate and the importance of avoiding name mismatches.
How to Get a CSR Certificate: A Step-by-Step Guide
Obtaining a CSR certificate is a straightforward process, typically involving your web server software. Here's a simplified breakdown:
Generate the Key Pair: The first step involves generating a cryptographic key pair on your web server. This pair consists of a public key (used for encryption) and a private key (used for decryption). Securing your private key is crucial as it unlocks the encryption power of your certificate.
Fill Out the CSR Information: Next, you'll need to fill out a CSR form. This form typically includes details like your organization name, domain name (the website you want to secure), location, and sometimes your public key.
Here's where getting a CSR certificate becomes important! The information you provide in the CSR needs to be accurate and match your existing domain registration. A name mismatch between your CSR and domain name can lead to certificate issuance delays or even rejections.
Submit the CSR to a CA: Once you've completed the CSR form, it's time to submit it to a reputable Certificate Authority, like GlobalSign. The CA will validate the information you've provided, including verifying ownership of the domain name. Double-check for any name mismatches before submitting your CSR to avoid delays.
Here's an additional tip for getting a CSR certificate: Some web hosting providers offer a CSR generation tool within their control panel. This can simplify the process, but remember, it's still crucial to ensure the information entered is accurate and avoids any potential name mismatches.
The Pitfalls of Name Mismatches
A name mismatch between your CSR and domain name can be a significant hurdle in obtaining your SSL/TLS certificate. Here's why:
Security Concerns: A mismatch raises red flags for the CA, as it casts doubt on whether you have legitimate control over the domain. This can lead to certificate issuance delays or even rejections.
Wasted Time: If your CSR has a name mismatch, the CA will need to contact you for clarification, which can significantly slow down the process of getting your certificate.
Potential Costs: Depending on the CA's policies, a name mismatch might incur additional fees or require resubmitting the CSR, adding unnecessary hassle and cost.
Here's how to avoid name mismatches when getting a CSR certificate:
Double-check, Triple-check: Before submitting your CSR, carefully review the information you've entered, paying close attention to your domain name. Ensure it precisely matches your domain registration details.
Verify Your Domain Ownership: Most CAs require verification of domain ownership during the validation process. Ensure you have access to the email address or DNS records associated with your domain to facilitate smooth verification.
By understanding how to get a CSR certificate and the importance of avoiding name mismatches, you can streamline the process of securing your website with an SSL/TLS certificate, fostering trust and boosting online security.
Have questions about CSRs or about SSL/TLS in general? Any ideas for other topics we cover? Let us know!
