What to do if your CSR is not accepted ('CSR invalid' errors) during certificate activation

There might be multiple reasons which cause an "Invalid CSR" error.

csrcorrupt

Here are the main points you need to pay attention to when generating a CSR:

  1. You should be using an FQDN (Fully Qualified Domain Name) as a Common name (in some control panels it can also be called Host name or Domain name) -e..g. domain.com or anything.domain.com. The hostname should be listed without http:// at the beginning. This should not be an intranet hostname (something.local) or an IP address. Local hostnames and IP addresses require a specific type of certificates that we do not have available at the moment.
  2. Characters in the CSR should be alphanumeric, no special characters should be used [! @ # $ % ^ ( ) ~ ? > < & / \ , . " ' _] If you are using a password for your CSR/RSA pair, please make sure there are no special characters in the password as well.

  3. Country code should be a valid ISO 3166-1 two-letter code (e.g. US, AU, CA). If you are located in the United Kingdom, your country code will be «GB» instead of «UK». The country code should be listed as two capital letters.
  4. Make sure you have included the header and footer of the CSR into the enrollment form. The header and footer will look like:

    -----BEGIN CERTIFICATE REQUEST-----

    encoded data

    -----END CERTIFICATE REQUEST-----

  5. There have to be 5 dashes on each side of Begin and End certificate request. There should also be no trailing spaces in the CSR.
  6. Your CSR code length should be at least 2048-bit.
  7. You should have no SAN (Subject Alternative Names) within your CSR code if you are using a non-UCC certificate.
  8. In most cases during CSR generation you also receive an RSA Private key (starts with -----BEGIN RSA PRIVATE KEY-----). You don’t need to include it into the CSR field. The RSA Private key should be saved, as it is required during SSL installation.
  9. Before pasting CSR into the field paste it into a simple text editor (notepad, textedit) to make sure formatting is correct.
  10. If you are renewing your certificate, your common name has to be the same as the original one - the domain should not be changed. Though, for certificates reissuance, it is possible to use another domain name or another subdomain to have the certificate reissued for it.
Updated
Viewed
85869 times

Need help? We're always here for you.

notmyip