SSL Tutorial | Certificate Signing Request (CSR)
Certificate Signing Request also known as CSR is a tiny encoded string that has certain information about your organization. Your Certificate Authority also known as CA will use this information to issue you a certificate. A CSR contains following information
Information contain in the CSR
Common Name (CN)
Common Name identifies the fully qualified domain name(s) of your server(s). For example, mydomain.com, docs.mydomain.com or blog.mydomain.org. It can contain wild card domain names or subdomains such as *.mydomain.com or *.docs.mydomain.com. You can include multiple domains or subdomains if you plan to use the certificate in different domains or subdomains.
Important thing to note is that the type of the SSL certificate your purchase from the Certificate Authority (CA) has to support your common name format. For instance, wild card certificates are generally more expensive and you can’t use a non-wild card certificate to issue a wild card certificate. To understand the types of the SSL certificate read this article.
Organization (O)
The legal name of your organization. Do not use any prefixes, suffixes or abbreviations E.g. Do not use Inc., Corp., Pvt.Ltd or LLC.
For OV (Organization validated) or for EV (Extended validation) SSL Certificates, this information is validated by the CA and included in the certificate.
Organizational Unit (OU)
The division of the organization responsible for the certificate. For example, legal, HR or marketing. Depending on the situation, you can leave this blank.
City or Locality (L)
The city where your organization is based at. Use the full city name and don’t use abbreviations or short names. For example, use Sydney instead of SYD
State/District/County/Region (S)
Non abbreviated state, district, county, region name. For example, use New South Wales instead of NSW or Washington instead of WA
Country (C)
Two letter country code where the organization is located. You can find the country codes here.
Email Address
An email address to contact your organization. Make sure the email is reachable. Usually the email is set to a generic email address like webmaster@mydomain.com or admin@mydomain.com
The public key
Public key is used by external parties to encrypt the data and the associated private key is used to decrypt the data.
Passphrase
This is not a mandatory field. However, some certificate authorities may require CSRs to have a passphrase. The certificate authority can use a CSR passphrase to confirm the identity of the person or the organization with whom you wish to communicate. CSR passphrases are stored unencrypted format & you will share this passphrase with a third party. Therefore, do not use an important password here.
How to create a CSR
To create a CSR, you first need a private key.
Private key is something you need to keep securely and should not be exposed outside parties. That’s the very reason it’s called a private key. Same private key can be used to sign multiple CSR. There are two widely used private key formats, namely RSA 2048 bit and RSA 4096 bit where former is more widely used format and later is more secure due to its key length. An example of a base 64 encoded 2048 bit RSA private key is given below.
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDU8Ifscf1wOw2I
gzV9U1mKJP7f01fwfeNGfnYPw51w66WrC+gdvgRnqyOecmBXwBXJGAKtYxWx+ANS
rjmo/7CxjTiP76wJKj2zrDEaYu+ZUBQrqHbza4JrJJLmCHVvE9oNohdfNVOvQSdA
OL+pHI4Wf90vzEFyQSH0OXz5zVdfkfozr1Wzyq/iUYRphwhPFhlZN0UoXJsuNx8w
bCfi1WW71g34Eg1t+wy858824ZUb9tFaiFiJ2a0lTW1R9Ib1hC75vkwcAnR1iGIi
KaXGpjGLKtpN7eM+h8OUvK8fm6Ua/sV9QaRelGcywSPHD0/Zl/F8dfOlSfkGf+4F
B8ZGaFBvAgMBAAECggEAHyV3nDwoJ+xbVGZswoIYjL5QkYimSkT/o2YH+tJQCx5M
wzIgp4kNt+Qud5SfRvaPuTRL3/SoTbnLMqLNSEzuGWpgpZ0W+tg04j0DiaqDBVfT
O3eOvpgxIV7eJcuC8dZjhK764DA6p13OUfR7BE9q8RuOzNkBkaa5QrHN9/PzHcVF
3OBQ8LBqss2W/blh5npyX8UivKrOmN3of6kJD4WLcWDpwx5BJzkdIEuDynNjNoTn
ZdWXVFT19DRzXiiTp7gLeJIBMPCCyfDrAFzDoWk3HTzGI+TkGaYJ9fHTAcBOAsRm
l9x7/LgU38SXlu7hiz5frP2geaACC7eo/PX2V2HSIQKBgQD9hcgSxeu2R3nVNYst
gzSBIAli9NDHSDQKc16BoAhZ64NGVCiGGOUovPPcWCVf3TNz8H/KFZb009I9PPLu
Mc+bFZWKaQVc2ni6NS7OvCR6Jmmfi32kMkokR8YZZ7ve4VsRjrpFmp4YpRR42QSS
eiBqqEfYs3aY60REabpVEvNomQKBgQDXBTnXEKisEpUxYnEMhqaoxmlewvevRGBM
8EmBEmTsAmngXmx8V/ZsDdKeKSix9n6gep4vAqWu8LBzQdHaIcVDfa1UZQQmVcts
tj1WULhJ43L/qzr+1Ubfcq1i1CWkfnm9HIpdgT/rGxF4yhVoxCY10itJ6b9ojXzO
LUAATqN+RwKBgCf60+1Z9uz84pKj6fnYagw+4BwR3Wa/1S0cuneYpBiCEmah2O4k
uOauvYovAF3YxUdwUsasluyvBsWPegPkKQgc5EM6gpT9AvLidio1806sBhYZ6ktd
fuGvy+avvCnOwgzHxEo7stjSF6NjHdx3k+sd9I6Q5pAA8fgT8EWAQpBpAoGBAJjE
wsKVuHGBRnTu70kqBhEV31mPhnEFULJ5apAE5KV2VYkvLT7vNEqzS3hJ3/sJGhCk
7eySoer4YTWShynHIqOAEH1MxDUEceLMXCoOcdE1g8g4/VJ/b7pkfOIhvpjvr0j4
lSo4IZTGB5TdZ3anHkrRByadp/v9wrWuGrHdLXYTAoGAb2R16AZoVrtt5vvXfC/O
Gzj0YVdH5JBqodCU+nZxpriyLXX0v2kdvQn64zNEoh9oJJOx5FbBpoeLCfajqpCE
oL2jl89qPxYa5ZPx0+I7pLcj3X6vguZ9OcEDldGVBFKuikzrSKGFWjZ5uO1xapsq
Ka7QRJdgRufEkidUpwOTKp0=
-----END PRIVATE KEY-----
Sometimes your web hosting company provides a web based tool like cPanel to create a private key.
Here is an example,
Alternatively, you can use OpenSSL to generate a private key. OpenSSL binaries can be downloaded from here.
For example, to generate a 2048 bit RSA key you can use the following command
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out c:\temp\private-key.pem
Once you have the private key, it can be used to generate the CSR. You can use your webhoster provided user interface (E.g. cPanel)
You need to fill the information like the common names, organization, city, country to create the CSR.
Alternatively, you can use OpenSSL to generate the CSR.
openssl req -new -key c:\temp\private-key.pem -out c:\temp\mycsr.csr
This will output a key file which you can open in any text editor. The content is base 64 encoded and looks like below.
-----BEGIN CERTIFICATE REQUEST-----
MIIDOjCCAiICAQAwgdQxCzAJBgNVBAYTAkFVMRgwFgYDVQQIDA9OZXcgU291dGgg
V2FsZXMxDzANBgNVBAcMBlN5ZG5leTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55
MR8wHQYDVQQLDBZJbmZvcm1hdGlvbiBEZXBhcnRtZW50MTkwNwYDVQQDDDBleGFt
cGxlLmNvbSwgZGV2LmV4YW1wbGUuY29tLCAqLmRvY3MuZXhhbXBsZS5jb20xJDAi
BgkqhkiG9w0BCQEWFXdlYm1hc3RlckBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANTwh+xx/XA7DYiDNX1TWYok/t/TV/B940Z+dg/D
nXDrpasL6B2+BGerI55yYFfAFckYAq1jFbH4A1KuOaj/sLGNOI/vrAkqPbOsMRpi
75lQFCuodvNrgmskkuYIdW8T2g2iF181U69BJ0A4v6kcjhZ/3S/MQXJBIfQ5fPnN
V1+R+jOvVbPKr+JRhGmHCE8WGVk3RShcmy43HzBsJ+LVZbvWDfgSDW37DLznzzbh
lRv20VqIWInZrSVNbVH0hvWELvm+TBwCdHWIYiIppcamMYsq2k3t4z6Hw5S8rx+b
pRr+xX1BpF6UZzLBI8cPT9mX8Xx186VJ+QZ/7gUHxkZoUG8CAwEAAaAgMB4GCSqG
SIb3DQEJAjERDA9FeGFtcGxlIENvbXBhbnkwDQYJKoZIhvcNAQELBQADggEBABpW
6MApYLbE3ng4K4PtAPsTv22Y4PiIP6aF4P7z1Diu44VAIMos00xtwnHm9dsGyidR
+jqMY9ln+B8/e+Feax0sYq8PTDgtRg8kvUBCd2Qg7fkGFOsR7m7OyrES6IEDaSnV
JpHHANF00fkWyOuqhZaAPBQhuC3AXdSDCXJkh//u4TY4CscWBRBy2D8XzbtCJXhy
MUdvKKpfFFmX++Mhyl3fLzEcmXmt8kNU1yY1/OZvD/GQpH3CQNPtAdxD4PsV7J/s
f2VHHkuNbkverJs2o7g98OaUoK713TApG8vXAxxUxCfRe/iG5i956zNXoQYuYcuF
P0G9xLm8Md03PWa+YTI=
-----END CERTIFICATE REQUEST-----
This content can be decoded with a CSR decoder. If you google “CSR decoder”, you will find plenty of online CSR recorders which you can use to check the content of a CSR. For example,
Alternatively, you can use following OpenSSL command.
openssl req -in c:\temp\mycsr.csr -noout –text
You can now use the content of the base 64 encoded CSR to get a certificate from your CA.
Depending your CA, your certificate broker will provide a user interface to enter the base 64 encoded CSR.
Some practical tips for frequently asked questions
I entered wrong information in CSR, how can I revert it back?
Make sure your company information is accurate in your CSR. The email address in your CSR has to be accurate and accessible. CA sometimes sends the certificate to your email address given in the CSR. Some certificate brokers don’t have a method to revert back once you request a certificate with a given CA. After all, certificate broker is a middleman who facilitates your certificate issuance and it is the CA who ultimately issues the certificate. Usually, the certificate brokers have a money back refund policy for a fixed period of time. If you accidently use the wrong information in your CSR, ask for a refund and then recreate a new certificate request.
I got a DV (Doman Validated) certificate, and it takes ages to validate once I setup entries in my DNS
If you are using DV (Domain Validated) certificate, you can get your certificate approved quickly since the validation happens by checking an entry in your DNS configuration. Depending on the type of the validation of the certificate it can take some time to validate your organization. A frequent error customers do is, they double enter the domain name. For example, imagine your certificate broker says to enter following code as a CNAME in your DNS, <some code>.example.com pointing into <some random value>. Sometimes, when you copy paste using the DNS configuration UI, you will end up pasting <some code>.example.com.example.com where there is a double entry of your domain name. This can be easily fixed by removing the final example.com before copy pasting into your DNS system.