What is a Certificate Signing Request (CSR)?
A CSR (Certificate Signing Request) is a small, encoded text file containing information about the organization and the domain you wish to secure. It is required for the activation of a digital SSL certificate and, as a rule, is generated on the server where the certificate is to be installed. A CSR is submitted to the Certificate Authority and used to generate the certificate.
For the instructions on how to generate the CSR code, you can consult your server documentation or check the following article in our Knowledgebase that contains the most common server types.
The Certificate Signing Request should have the following information:
- Common name (CN) – primary domain of the certificate, the fully qualified domain name for which the SSL will be activated (e.g. example.com). For Wildcard certificates, the domain name should be represented with an asterisk in front (e.g. *.example.com).
- Locality (L) – the city where the company or applicant is located (e.g. Los Angeles). This parameter should not be abbreviated.
- State (S) – the state, county or region the company or applicant is located in (e.g. California).
- Country (C) – the two-letter code of the country where the company or applicant is located (e.g. US).
- Organization (O) – the officially registered name of the organization that applies for a certificate (e.g. Namecheap Inc.). For Organization and Extended Validation certificates, Certificate Authorities will be verifying the submitted organization. For Domain Validation SSLs, this field is not critical and the details will not be listed on the issued certificate, however it should be filled in.
- Organization Unit (OU) – the name of the department or division within the submitted organization (e.g. SSL Support).
- Email Address – an email address of the company or the applicant. This field is optional.
The CSR code can contain SAN (Subject Alternative Name) fields in it, which can be used for additional domains you would like to include into a multi-domain certificate. Some web servers and CSR-code generators might have SAN fields included for CSR generation. You can use those fields if you are sure about the domains and the number you would like to secure. You are not obligated to fill in SAN fields during CSR-code generation. If the CSR code is generated with SAN fields, our system will try to fetch them automatically to the corresponding boxes for additional domains when activating a Multi-domain certificate. If the CSR was generated for the primary domain only, additional domains should be filled in manually during the activation.
The CSR code also contains the public key that will be included into your certificate. The encryption of data by SSL certificates is based on using two keys – public and private. Public key (embedded into the CSR code and into the issued certificate) is used to encrypt data prior to sending it to the server where the certificate has been installed. It is sent to every Internet user who submits information at a site secured by the certificate. CSR code is generated along with the private key. Private key (RSA key) is necessary to decrypt data that has been encrypted using a public key. Only the server that has an RSA key is able to decrypt data. This makes data transmission via SSL secure and safe. Private key should not be revealed to any third-parties, as this may compromise the certificate. If the private key was lost or compromised, the certificate should be reissued with a new CSR code generated along with a new RSA key, and the initial certificate revoked to avoid any possible security issues.
Also, the CSR contains the information about the type of the key and key length. The most common and frequently used key type is RSA. However, there is an opportunity to submit a CSR codes with ECDSA keys for the certificate activation.
The minimum possible key size for RSA keys is 2048 bits. It is considered strong and there is no critical need to make the private key stronger. However, Comodo (now Sectigo) certificates can be also activated with 4096 and 8192 bits key size. Remember that not all devices can support strong keys!
CSR is a Base-64 code that starts with the header -----BEGIN CERTIFICATE REQUEST----- and ends with a footer -----END CERTIFICATE REQUEST----- (CSR codes generated on Windows Servers will have tags -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----). When activating the certificate, please copy the CSR code including both header and footer into the activation page.
Below you can find an example of the certificate signing request:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
You can check the CSR information using this decoding tool.