How to put domain correctly in CSR?

Each SSL certificate’s life cycle implies three main stages: activation, domain ownership (and in some cases - company ownership) validation and installation of the certificate file on a server where the web site is hosted. In order to see a secure https:// connection in the address bar, we need to understand the whole triple-stage process which begins with the CSR code generation.

CSR stands for Certificate Signing Request, and this is the very first and essential part on the way to obtain an SSL certificate issued for your domain name. As soon as an SSL certificate is purchased, you can see that it is not yet assigned to any domain or subdomain name. CSR code will give you an opportunity to indicate the exact (sub)domain you would like to have your certificate issued for. CSR code can be either generated using your hosting software or by your hosting provider. These how-to manuals can be used. As a rule, you will be asked to provide the following information:

  • Organization (O)
  • Organizational Unit (OU)
  • Country (C)
  • State (S)
  • Locality (L)
  • Common Name (CN)

Here is how a CSR code looks like:

-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9yb
mlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGU
*** More encoded data here***
gSW5jMR8wHQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQD
Ew53d3cuZ26iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
-----END CERTIFICATE REQUEST-----

If all the aforementioned points are self-explanatory, “common name” part deserves some additional details. Common name is one (or more) host name(s) associated with the SSL certificate. In other words, this is a Fully Qualified Domain (or subdomain) Name (FQDN) that you would like to see HTTPS-accessible. However, we need to keep in mind that, when issued, the SSL certificate will be valid only for the exact FQDN indicated in your CSR code, and HTTPS access to subdomains will result in a browser warning. Let us check the example for a better understanding:

SSL certificate activated with the CSR code generated for www.example.com will not cover security.example.com or any other subdomain of example.com. It will be valid only for the FQDN indicated in the CSR. On the other hand, SSL activated with the CSR code generated for security.example.com, will cover neither www.example.com, nor example.com.

CSR code needs to be generated in accordance with certain rules. General request is alphanumeric characters and no special characters like ! @ # $ % ^ ( ) ~ ? > < & / \ , . " ' _. More details can be checked here. Please avoid a passphrase during CSR code generation. The Challenge Password is the CSR attribute that specifies a password by which an entity may request a certificate revocation. Such a practice was deprecated long ago and nowadays is considered obsolete.

Nowadays, IDN domain names (International Domain Names) gain more popularity. If you have registered such a domain name, you definitely can secure it with an SSL certificate. In this case your domain name needs to be converted into punycode and indicated in the CSR code as a common name. Feel free to use this converter for this purpose.

This is definitely worth mentioning that there are SSL certificates that can cover both www.example.com and example.com. COMODO CA (now Sectigo CA) has been offering this option for already quite a long time.

The below table with examples might be useful during CSR code generation.


SINGLE DOMAIN SSL CERTIFICATES

Desired result CSR code needs to be generated for... SSL certificates with an available option
https://www.example.com and https://example.com You can generate your CSR code either for www.example.com or for example.com. Your certificate will cover both host names. PositiveSSL
EssentialSSL
InstantSSL
InstantSSL Pro
PremiumSSL
EV SSL

WILDCARD SSL CERTIFICATES

Desired result CSR code needs to be generated for... SSL certificates with an available option
https://example.com
https://www.example.com
https://subdomain.example.com
https://subdomain1.example.com
https://anything.example.com

*unlimited*
CSR code needs to be generated for *.example.com. Such a certificate will cover an unlimited amount of one level subdomains that can be placed instead of an asterisk. Base domain (example.com) is covered as well. PositiveSSL Wildcard
Essential Wildcard
PremiumSSL Wildcard
https://subdomain.example.com
https://subdomain1.subdomain.example.com
https://subdomain2.subdomain.example.com
https://subdomain3.subdomain.example.com
https://subdomain4.subdomain.example.com

*unlimited*
CSR code needs to be generated for *.subdomain.example.com. Such a certificate will cover an unlimited amount of one level subdomains that can be placed instead of an asterisk. Base domain (subdomain.example.com) is covered as well, but not example.com. PositiveSSL Wildcard
Essential Wildcard
PremiumSSL Wildcard

NB: Wildcard certificates cannot be activated with the CSR code generated for *.*.example.com or *.*.subdomain.example.com


MULTI-DOMAIN SSL CERTIFICATES

Desired result CSR code needs to be generated for... SSL certificates with an available option
https://www.example.com
https://example.com
https://domain.net
https://www.domain.net
https://subdomain.domain.net
https:// domain.org
https://subdomain.domain.org

*any combination of subdomain or domain names and TLDs*
CSR code needs to be generated for all the domain or subdomain names you would like to secure with an SSL certificate. However, if your web server software does not allow it, you can generate it for one domain name and type others manually during the activation process. PositiveSSL Multi-Domain
EV Multidomain SSL
Multi-Domain SSL
Unified-Communications

NB: PositiveSSL Multi-Domain, EV Multidomain SSL, Multi-Domain SSL and Unified-Communications can secure up to 100 domain or subdomain names. Bare domain (example.com) and its www-subdomain (www.example.com) need to be indicated separately in the CSR code.

Please keep in mind that CSR code for these certificates should contain two (sub)domain names minimum (if the certificate is purchased as a Multi-Domain one, of course). Otherwise, it will not be possible to activate it and add other domain names later on, when needed. If there is no option to generate a CSR code for multiple hostnames using your hosting software, an additional domain name can be added manually during the activation process.

If there is any concern regarding the most suitable SSL certificate type, common name in the CSR code, certificate activation procedure or any other - please do not hesitate to contact us at your best convenience via Live Chat or Ticket. Our doors are 365/24/7 open for you!

Updated
Viewed
61786 times

Need help? We're always here for you.

notmyip