Here’s everything you wanted to know about Certificate Signing Request (CSR)
CSR is an abbreviation for Certificate Signing Request, a very fundamental part of Public Key Infrastructure (PKI). As implied in the name itself, a CSR is a request – a request to a certificate authority to sign a digital certificate. In simple terms, it’s an application form to initiate your certification process.
As we all know, digital certificates such as SSL/TLS certificates vouch for the identity of the party that they have been issued to. In hindsight, it’s not the certificate, but the certificate authority (CA) behind the certificate that acts as a witness and vouches for your credibility. To do that, the CA first must confirm that you are who you say you are and validate your information through different methods set by the CAB forum. That’s where the CSR comes in.
A CSR contains information such as Common Name, Organization Name, Organization Unit etcetera. A CSR will also have your Public Key. You must fill out these details carefully while generating your CSR as these details will be used to generate your certificate and verify your identity and legitimacy. One small mistake and you’d have to do it all over again.
When you generate a CSR, your key pair – Private Key and Public Key – is also generated. Of course, the Private Key will not be used by the CA, but your Public Key is included in the CSR.
Let’s understand the nuts and bolts of CSR.
What’s there in a CSR?
A CSR contains the following things:
Common Name: Don’t get confused by its name. It’s nothing but the Fully Qualified Domain Name (FQDN) of your web server. FQDN is the name you enter in your browser (with or without www). Your Common Name MUST be the same as that name. If not, there will be a mismatch error and that’s not good, Bob.
Organization Name: This should be the legally registered name of your organization. If you have any suffixes such as LLC., Inc., and Corp, you must also include them. In the case of DV certificate, just enter your name.
Organization Unit: Division of your organization handling the certificate (i.e., IT department).
Locality: Here, you should enter the city in which you are located.
State or Province: The State/Province where you or your organization is located.
Country: Select the country where you or your organization is located.
E-mail: The E-mail address where certificate files will be sent. It must be of your organization if you want OV or EV SSL.
Apart from these, there’s an option to select the Root Length and Signature Algorithm. Keep them as default if you don’t have any particular requirement.
How exactly a CSR looks like?
Prepare to be disappointed because a CSR looks nothing like you’d have expected. It’s basically a string of alphabets, numbers and symbols that looks like a message from an alien species. Here’s how it looks like:
-----BEGIN CERTIFICATE REQUEST-----
MIIDHjCCAgYCAQAwga8xCzAJBgNVBAYTAklOMRAwDgYDVQQIEwdGbG9yaWRhMRkw FwYDVQQHExBTYWludCBQZXRlcnNidXJnMRswGQYDVQQKExJSYXBpZCBXZWIgU2Vy dmljZXMxDDAKBgNVBAsTA1NFTzEcMBoGA1UEAxMTd3d3LnNzbHJlbmV3YWxzLmNv bTEqMCgGCSqGSIb3DQEJARYbamF5LnRoYWtrYXJAdGhlc3Nsc3RvcmUuY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsGOyOqqNZRR/pOmafqRcfKnZ ObB7K0J2aIk20Kq7Zy1Gb2ED14eI23KxgGmbt6dbRzlniq0gKs26RUi1Oq9o4cJb e4slM9JbMTH/A1ympv5gF9V34R113ZZ7941XzANLgDxf55FbdRUWdIw/EhfWiVfd zXpsdLtlhzp2VASUIbxiuZF3Oe7pCNUajcKTHRyAeFCCiWWVIDfq15CLoiqAzgbf Rg7/8OEdk+z39d0u86tdU0KXf1uZkVWbftYkGpls/51EiNUtys0BHgVOJEwnwN1u 5gxMv300uzFVywIMj2EawFBLCFEnPhIAQ85ebVuGqXgAXhVefn8H+Fef99qTxwID AQABoCkwJwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAN BgkqhkiG9w0BAQsFAAOCAQEALi6SBP0WZvPH7Xx9C4ESEChuuJhW59wqQqPPir8x HbGHgT6IRJ/d10o2NFIqxaQML5Wz1LMIVUTk4mBf6YIpMpwh8Qxi/Cs7rrVZOvXL DQZYCXJDYWJjeo/glUvbcq2PFH6J7k/VaPpI2sxOMwsUd5qeD7iumBZV8BsCPhQc 8OXJ8Rqe+6JkUCwiu663z2zkkuynxrrrH4sGsAy6cPnJeMkJnG+y2+5YMsDT+t7+ ypOO1pVedVkjx6FdEwRW9x/pZ+gD1FN7udEe3uwt7crWMDXUhu/u8gKn3s1S4UPy cYHz2749YWLXtegFNLD8YWneft28A82HUvXyfx24HDYkGQ==
-----END CERTIFICATE REQUEST-----
Disappointed? Of course, you are.
How can I generate a CSR?
While other certificate providers tell you to type in dull and boring OpenSSL commands, we have developed an awesome, automatic, and user-friendly tool that will help you generate your CSR in no time. And you know what the best part is? It’s FREE for everyone. So, what are you waiting for? Head straight to our CSR Generation tool and generate your CSR.
And in case you want to decode your CSR, we’ve got a tool for that, too!
Aren’t we just awesome?
What to do with your CSR?
Once your CSR is generated, you MUST copy and paste it into a text editor (i.e., Notepad) and save it for your future requirements.