Knowledgebase

Certificate Signing Request (CSR) Overview

Before you can generate an SSL Certificate, the certificate requester must create a (CSR) Certificate Signing Request for the domain name or hostname on your web server. The CSR is a standardized way to send the issuing Certificate Authority (CA) your public key, which pairs with the private key on the server. The CSR also provides the information listed below to the certificate authority.

Common Name (CN):

  • (FQDN) "Fully Qualified Domain Name" (ex. webserver.example.com) of your server and must match the address you wish to secure in the web browser.

Organization Name (O):

  • The legal name of your company/organization (ex. Google, Inc.). Do not abbreviate your company name. Your company name should include the corporate identifier as "Inc." "Corp" or "LLC" (if applicable). For DV orders, you can use your name (ex. John Doe).

Organization Unit (OU):

  • The unit or division of the company/organization managing the certificate ( IT Department).

Locality (L):

  • Enter your city. (ex. Mountain View)

State or Province Name (ST):

  • Enter your state/province of residence.  (ex. California)

Country (C):

  • Enter your country. (ex. The United States or the US)

Email Address:

  • An email address associated with the company (ex. webmaster@google.com)

Root Length:

  • The bit-length determines the strength of the key and how easily it could be compromised using brute force methods. 2048-bit key size is the new industry standard and is used to ensure security well into the foreseeable future.

Signature Algorithm:

  • Hashing algorithms are used by Certificate Authorities to sign SSL certificates and CRLs (Certificate Revocation List) to generate unique hash values from files. The current industry standard is that all SSL certificates issued are signed using SHA-2 encryption.

As mentioned above, in addition to creating a CSR, the web server will also export another file called a private key. The private key is a unique cryptographic key related to the corresponding CSR. Never share your private key with anyone that you do not know or trust. The private key is used to decrypt sensitive data transmitted to and from your server. If your private key is lost or compromised, then malicious users can read all of your encrypted communications. A compromised private key could put your organization’s entire reputation at risk, defeating the meth behind the Public Key Infrastructure (PKI). If the private key is ever lost or compromised, it's standard practice and recommended to reissue your SSL certificate. Re-issuing an SSL Certificate ensures that a new private key is generated by the server and restoring security after the newly re-issued SSL has been installed.

Example CSR

Most CSRs created in the Base-64 encoded PEM format include the lines “—–BEGIN CERTIFICATE REQUEST—–“and “—–END CERTIFICATE REQUEST—–“ lines as the header and footer tags of the CSR. A standard PEM format CSR will look like the following example:

 

-----BEGIN CERTIFICATE REQUEST-----
MIIDGDCCAgACAQAwgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRYwFAYDVQQKEw1Hb29nbGUsIEluYy4g
MRcwFQYDVQQLEw5JVCBEZXB0YXJ0bWVudDEXMBUGA1UEAxMOd3d3Lmdvb2dsZS5j
b20xIzAhBgkqhkiG9w0BCQEWFHdlYm1hc3RlckBnb29nbGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3NT5DBBDql5gTB4/6Zsq/C1iwO4yBD2
nThaNfO1qHKUjnFz0oua+54x97TjmHItRH5H+jPJvmzzb4TUJ274CRFhquOOMZVM
dVIG9FUjogJstMqv4GtBC4C/ype0ilAcPEBjRi9bFiR/g43qPCnlRAJNo4cJko7n
W7erAJsRPNiQMr5UJN9h3GuQMPw6uaI/0OWuWjSTLzEBMujHhPySgZIv1SurVXDz
iFC6S6qvc9XQ1z6tkmrttdoOfDI+eT75QxysHmctgAvkZaFEoRASqcqf3iYyl9Qw
mh0xuLSoR9HTvaD9DhxAIa4/1+l6D9MGb/01+lip7AjqdnTTzSBfcQIDAQABoCkw
JwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG
9w0BAQsFAAOCAQEAZyMkFtElkS3vQoCPVHevrFcPgrx/Fqx0UdQdnf2RyoJ3jqiU
yPo5+5BHA9kY0TuJLhgMIq0QWAbzZYNL0+J8UUcx8EvMK6DqPpKteyYFCMw6GEzu
diq4RE/8Ea9UpGbw8GH1oEsUksBTwrs06OSOVgDXkJ1XY4VaRkMPflgQWGULgKYO
2P/zcFowENruGLJO7ynyUkm5idKdYzDqk7c7bqyLywOEPxSRKVyblmzqiFCOlCqp
HozZ9+5TmrMPD/hO1uHVECcL08RMGXoGMajojI8CE+cmkaWLq3PZt08Sv0F/Itop
O8XAZ2bYTK4HQfPm+Fud22SD+DkSwt8vN8Lu2g==
-----END CERTIFICATE REQUEST-----

 

Issuing SSL certificates requires verification of specific details given to the webserver and used to create the CSR (ex. the server's "common" name, the organization name, and ), and can easily be decoded using a CSR Decoder tool. This tool is most commonly used to troubleshoot errors received during the generation process. This tool verifies entry mistakes that happened during the creation of the CSR and assists with correcting the information to create a new key pair.

 

When making your CSR and private key, please reference our easy-to-read CSR Generation Instructions for your specific server environment. If you are not sure what server type you’re using or need assistance with any step of the process, please contact our 24×7 Technical Support by phone, live chat, or email.

  • 2 Users Found This Useful
     Was this answer helpful?

Related Articles

 How to Generate a CSR for cPanel 11.x

The following instructions will guide you through the CSR generation process on cPanel (Paper-Lantern Theme Modern). To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request article. If...

 How to Generate a CSR for F5 BIG IP (version 8 and under)

The following instructions will guide you through the CSR generation process on F5 BIG-IP Loadbalancer (version 8 and under). To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request...

 How to Generate a CSR for Plesk 10

The following instructions will guide you through the CSR generation process on Plesk v.10. To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Requestarticle. If you already generated the...

 How to Generate a CSR on Juniper NetScreen

The following instructions will guide you through the CSR generation process on Juniper NetScreen. To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request article. 1. Open the...

 How to Generate a CSR for Nginx (OpenSSL)

The following instructions will guide you through the CSR generation process on Nginx (OpenSSL). To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request article. If you already...

Powered by WHMCompleteSolution