Tired of managing certificates? Automate it with ZeroSSL   Learn about ZeroSSL Automation x

What is a CSR (Certificate Signing Request)?

What is a CSR? A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.

A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

What is contained in a CSR?

NameExplanationExamples
Common Name The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.

*.google.com
mail.google.com

Organization The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. Google Inc.
Organizational Unit The division of your organization handling the certificate. Information Technology
IT Department
City/Locality The city where your organization is located. Mountain View
State/County/Region The state/region where your organization is located. This shouldn't be abbreviated. California
Country The two-letter ISO code for the country where your organization is location. US
GB
Email address An email address used to contact your organization. webmaster@google.com
Public Key The public key that will go into the certificate. The public key is created automatically

What does a CSR look like?

Most CSRs are created in the Base-64 encoded PEM format. This format includes the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor and looks like the following example:

-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
-----END CERTIFICATE REQUEST-----

How do I generate a CSR and private key?

You need to generate a CSR and private key on the server that the certificate will be used on. You can find instructions in your server documentation or try the instructions from one of these certificate authorities:

Comodo CSR Generation Instructions
DigiCert CSR Generation Instructions
Entrust CSR Generation Instructions
GeoTrust CSR Generation Instructions
Thawte CSR Generation Instructions

Once you have your CSR generated, you can use our SSL Wizard to find the best SSL certificate that will meet your needs. If you are familiar with OpenSSL you can use the following command to generate a CSR and private key:

openssl req -new -newkey rsa:2048 -nodes -out servername.csr -keyout servername.key

How do I decode a CSR?

You can easily decode your CSR to see what is in it by using our CSR Decoder. In order to decode a CSR on your own machine using OpenSSL, use the following command:

openssl req -in server.csr -noout -text

What is a CSR/Private Key's bit length?

The bit-length of a CSR and private key pair determine how easily the key can be cracked using brute force methods. As of 2016, a key size of less than 2048 bits is considered weak and could potentially be broken in a few months or less with enough computing power. If a private key is broken, all the connections initiated with it would be exposed to whomever had the key. The Extended Validation guidelines that SSL certificate providers are required to follow, require that all EV certificates use a 2048-bit key size to ensure their security well into the future. Because of this, most providers encourage 2048-bit keys on all certificates whether they are EV or not.

Compare SSL Certificates

Originally posted on Sun Dec 7, 2008

Comments


Илья Василевский(2017-01-28)

Is there a way to find out if a particular certificate is issued for a specific CSR? I guess it can be done by comparing the public keys. But what is the openssl command to do that?

SSL Shopper(2017-01-28)

The OpenSSL commands are listed at https://www.sslshopper.com/...

You can also just paste in the CSR and certificate on the web page.

Илья Василевский(2017-02-09)

Thanks! The commands have helped me :)

venky(2017-06-12)

Is it possible to modify an existing CSR to add additional subject information?

SSL Shopper(2017-06-14)

I'm not aware of any way to do that. You'll need to create a new CSR. Most CAs ignore the information in the CSRs any way so you could just ask them to change it for you.

sai4collab(2017-08-21)

If the private key is not provided to the CA, how would they sign the certificate? I understand that only when your cert is signed by your Private key, a hash generated by using the private key is decoded by the client using the public key in the cert, the authentication succeeds.

SSL Shopper(2017-08-22)

They sign your certificate (which contains the public key you gave them in the CSR) using their CA certificate's private key. You can read more at https://www.websecurity.sym...

Soul(2017-09-02)

Can we insert null in locality name??

SSL Shopper(2017-09-06)

I think it is generally better to leave it blank. Most certificate providers will fill in that information when they verify and create the certificate anyway.

marsu_p(2017-10-02)

As per RFC 6125, the server's FQDN has to match one of the SubjectAltNames. The common name may be empty and shall only be checked as a last resort. Modern browsers even ignore the common name altogether, making the use of SubjectAltNames mandatory.

Francis Magpayo(2017-11-21)

We are renewing our SSL certificates again, we have generated the CSR and have used the country code UK. However, our CA seems to have trouble in setting the country to UK and say that GB is the only one available. Are there any implications on changing the country code to GB?

SSL Shopper(2017-11-21)

There shouldn't be any issue using GB instead of UK.

Emmanuel(2018-03-15)

Hello, I have question "A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate" I am learning about this, so I am confused here, once I have my CSR, how do I send this to the CA? What are the next steps?

SSL Shopper(2018-03-17)

You just go to your certificate provider's order form and paste the CSR in along with the other information that they ask for. They will then verify the information and create a certificate.

Dual Stuffs(2018-05-29)

is it necessary to fill all address options??

SSL Shopper(2018-05-29)

It depends but you can usually leave the address information blank when you are creating a CSR and provide it to the certificate provider later.

Diderot(2018-05-29)

Hi,
After generating the CSR, can I use the application before installing the SSL for this application? Or does it stay 'blocked'?...
I'm asking because I'm waiting for the SSL and the vendor says we can't use the application

SSL Shopper(2018-05-30)

It depends on the application but there are definitely some that can't be used until a certificate is installed.

sudhanshu(2018-06-01)

Nice article :)

Guillaume Specque(2018-07-30)

hello Guys

I ve got 3 servers (1 fortigate (need p7b), a synology (need p7b) and a reverse proxy Nginx (need pem))
can i generate only one CSR for my 3 servers?
Moreover i understand that private key is not sytored on the servers which need certificates but stored in a secured place? thats right?
Sorry for my english!

mohammad yousuf(2018-08-05)

Yeah, you can make use of only one CSR. But note that private key will be present on the device on which the CSR was generated.

Once you obtain a signed certificate, you can convert the certificate from one format to another.

You can make use of Openssl command to perform it.

Niclas(2018-08-29)

Is it possible to use the previous CSR when renewing an existing expiring certificate instead of generating a new CSR for each renewal?

SSL Shopper(2018-08-30)

It is technically possible but it is usually difficult and not advisable because the private key would stay the same which reduces security.

Luka Cvetinovic(2019-03-17)

Hello,
I'm really thankful for all these articles related to web security.

However, I have one question.

Is it possible when building your custom PKI to automate process of generation and submission of CSR(s)? I would like to be able to run certain script (scheduled) or to include a module (or whatever) in subsystem of larger business system to auto-generate and auto-send CSR(s) to my PKI API in order to supply these parts of system with new certificates.

P.S. I'm aware that for the first time I would need to manually install certificates across system in order to be sure that it's done properly and securly. But after that, I would like to automate the whole thing.

Thank you in advance!

Best regrads,
Luka

SSL Shopper(2019-03-18)

There are some solutions that allow automated certificate issuance using the ACME protocol (https://en.wikipedia.org/wi... but, otherwise, I think certificates always need to be manually installed.

Luka Cvetinovic(2019-03-18)

Thank you so much for quick answer. Appreciate it!
One last question. Do you have by any chance a link to useful resource for OCSP building?

SSL Shopper(2019-03-19)

You're welcome! Sorry, I don't have any information about OCSP building.

Jwalant(2019-04-26)

@harmonikas996:disqus

If I am understanding your need correctly,

I would suggest to use SCEP Protocol, using it one can trigger CSR Request and get the Certificate installed.

Jubair Mohammad(2019-05-05)

1.Can we extract the private key after creating a CSR?
2.Which location is th Pvt key stored?
3.The CSR i believe has the public key and after the CSR is signed by a CA's pvt or public key it makes a certificate?

Rafael Sandoval(2019-11-20)

It's possible to generate the SSL CSR in my local computer then send the CSR to the provider and then use SSL Cert in my server? hank you

SSL Shopper(2019-11-21)

That's exactly the process, Rafael. Let your provider know if you need any help generating the CSR or installing the certificate once you receive it from them.

Phil(2020-02-21)

If a certificate is created for a client device (EAP-TLS) from the CA, (in the case of a client that cannot produce a CSR) are the keys that are also created public or private? Does this in any way compromise the CA?

Advertisement • Hide