Before you can generate an SSL Certificate, the certificate requester must create a (CSR) Certificate Signing Request for the domain name or hostname on your web server. The CSR is a standardized way to send the issuing Certificate Authority (CA) your public key, which pairs with the private key on the server. The CSR also provides the information listed below to the certificate authority.
Common Name (CN):
- (FQDN) "Fully Qualified Domain Name" (ex. webserver.example.com) of your server and must match the address you wish to secure in the web browser.
Organization Name (O):
- The legal name of your company/organization (ex. Google, Inc.). Do not abbreviate your company name. Your company name should include the corporate identifier as "Inc." "Corp" or "LLC" (if applicable). For DV orders, you can use your name (ex. John Doe).
Organization Unit (OU):
- The unit or division of the company/organization managing the certificate ( IT Department).
- Enter your city. (ex. Mountain View)
State or Province Name (ST):
- Enter your state/province of residence. (ex. California)
- Enter your country. (ex. The United States or the US)
- An email address associated with the company (ex. email@example.com)
- The bit-length determines the strength of the key and how easily it could be compromised using brute force methods. 2048-bit key size is the new industry standard and is used to ensure security well into the foreseeable future.
- Hashing algorithms are used by Certificate Authorities to sign SSL certificates and CRLs (Certificate Revocation List) to generate unique hash values from files. The current industry standard is that all SSL certificates issued are signed using SHA-2 encryption.
As mentioned above, in addition to creating a CSR, the web server will also export another file called a private key. The private key is a unique cryptographic key related to the corresponding CSR. Never share your private key with anyone that you do not know or trust. The private key is used to decrypt sensitive data transmitted to and from your server. If your private key is lost or compromised, then malicious users can read all of your encrypted communications. A compromised private key could put your organization’s entire reputation at risk, defeating the meth behind the Public Key Infrastructure (PKI). If the private key is ever lost or compromised, it's standard practice and recommended to reissue your SSL certificate. Re-issuing an SSL Certificate ensures that a new private key is generated by the server and restoring security after the newly re-issued SSL has been installed.
Most CSRs created in the Base-64 encoded PEM format include the lines “—–BEGIN CERTIFICATE REQUEST—–“and “—–END CERTIFICATE REQUEST—–“ lines as the header and footer tags of the CSR. A standard PEM format CSR will look like the following example:
-----BEGIN CERTIFICATE REQUEST----- MIIDGDCCAgACAQAwgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRYwFAYDVQQKEw1Hb29nbGUsIEluYy4g MRcwFQYDVQQLEw5JVCBEZXB0YXJ0bWVudDEXMBUGA1UEAxMOd3d3Lmdvb2dsZS5j b20xIzAhBgkqhkiG9w0BCQEWFHdlYm1hc3RlckBnb29nbGUuY29tMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3NT5DBBDql5gTB4/6Zsq/C1iwO4yBD2 nThaNfO1qHKUjnFz0oua+54x97TjmHItRH5H+jPJvmzzb4TUJ274CRFhquOOMZVM dVIG9FUjogJstMqv4GtBC4C/ype0ilAcPEBjRi9bFiR/g43qPCnlRAJNo4cJko7n W7erAJsRPNiQMr5UJN9h3GuQMPw6uaI/0OWuWjSTLzEBMujHhPySgZIv1SurVXDz iFC6S6qvc9XQ1z6tkmrttdoOfDI+eT75QxysHmctgAvkZaFEoRASqcqf3iYyl9Qw mh0xuLSoR9HTvaD9DhxAIa4/1+l6D9MGb/01+lip7AjqdnTTzSBfcQIDAQABoCkw JwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG 9w0BAQsFAAOCAQEAZyMkFtElkS3vQoCPVHevrFcPgrx/Fqx0UdQdnf2RyoJ3jqiU yPo5+5BHA9kY0TuJLhgMIq0QWAbzZYNL0+J8UUcx8EvMK6DqPpKteyYFCMw6GEzu diq4RE/8Ea9UpGbw8GH1oEsUksBTwrs06OSOVgDXkJ1XY4VaRkMPflgQWGULgKYO 2P/zcFowENruGLJO7ynyUkm5idKdYzDqk7c7bqyLywOEPxSRKVyblmzqiFCOlCqp HozZ9+5TmrMPD/hO1uHVECcL08RMGXoGMajojI8CE+cmkaWLq3PZt08Sv0F/Itop O8XAZ2bYTK4HQfPm+Fud22SD+DkSwt8vN8Lu2g== -----END CERTIFICATE REQUEST-----
Issuing SSL certificates requires verification of specific details given to the webserver and used to create the CSR (ex. the server's "common" name, the organization name, and ), and can easily be decoded using a CSR Decoder tool. This tool is most commonly used to troubleshoot errors received during the generation process. This tool verifies entry mistakes that happened during the creation of the CSR and assists with correcting the information to create a new key pair.
When making your CSR and private key, please reference our easy-to-read CSR Generation Instructions for your specific server environment. If you are not sure what server type you’re using or need assistance with any step of the process, please contact our 24×7 Technical Support by phone, live chat, or email.