A Certificate Signing Request (CSR) is the request file to be sent to a Certification Authority (CA) when requesting an SSL certificate. The CSR is created along with the public/private key pair and contains the public key. Examples are provided below on how to generate a CSR, and take note that the private key generated along with the CSR should be kept secret. This should be generated on the server where the SSL certificate will be installed. Different web servers require the private key to be stored in different ways, but regardless, always remember to protect the private key. The CA will only need the CSR to generate and issue the SSL certificate and WILL NOT need the private key.
A Certificate Signing Request header looks like the following:
-----BEGIN CERTIFICATE REQUEST-----and the footer looks like:
-----END CERTIFICATE REQUEST-----Certificate Signing Request data and contents
| Property | Description | Example |
| Country Name | 2 letter code | US |
| State or Province Name | Full name | Virginia |
| Locality Name | City | Richmond |
| Organization Name | Company | Example Company |
| Organizational Unit Name | Section/Department | Information Technology |
| Common Name | server FQDN or YOUR name | example.com |
| Email Address | contact email address | example@example.com |
| Challenge password | Optional | password |
| Company Name | Optional | Example Company |
| Public Key | Auto generated | auto generated public key |
Note that the Certificate Signing Request Common Name will be an FQDN for an SSL server certificate, a human name for a personal client certificate, or an application name for an application client certificate.
How to generate or create a Certificate Signing Request (CSR)
Using openssl:
openssl req -newkey rsa:4096 -keyout key.pem -out req.pem -nodesNote that -nodes means your private key will be plain text. Also, note that the key size specified in rsa:4096 must be at least 2048 to be secure. While 2048 is deemed secure, we recommend going ahead with 4096 key size.
If you prefer to use the Java keytool over openssl, see our article on generating a CSR with the Java keytool.
A few Certification Authorities to send your CSR to (in no particular order):
- The SSL Store
- Comodo
- Sectigo
- RapidSSL
- DigiCert
- Alternatively, make use of the Automated Certificate Management Environment (ACME) and use Let’s Encrypt to automate your certificate request process.
Decoding a Certificate Signing Request
You can decode a CSR with the following openssl command:
openssl req -in req.pem -noout -text
Leave a Reply