What is a Certificate Signing Request?
A Certificate Signing Request (CSR code) is a block of encoded text that contains the information about the organization that applies for an SSL certificate, and the domain that needs to be secured. A CSR is what you give to the COMODO Certificate Authority (now Sectigo CA), to generate your SSL certificate. It is an essential part of obtaining an SSL certificate.
The CSR code also contains the public key that will be embedded in the issued certificate. CSR code is generated out of the RSA private key and most often CSR and RSA key are generated at the same time depending on the control panel or web server type the key pair is generated on. Public and private keys are related in such a way that only a public key can be used to encrypt messages, and only the corresponding private key can be used to decrypt them. Therefore, after the RSA key and CSR code are generated, you can use the CSR code for the certificate activation through your account with us. In the meanwhile, the private key should remain secret and be stored on the server, it will be needed for the certificate installation on the server and will be used to decrypt the information encrypted with the public key.
Thus, we recommend generating CSR codes (with RSA private keys) on the servers the certificate will be subsequently installed on.
If the private key was lost, deleted or compromised, a new pair of CSR and RSA should be generated and the certificate should be reissued.
What details are included in the CSR code?
As a rule, the CSR code contains the following details; they should be filled in when creating the CSR code:
- Common name: A fully qualified domain name that needs to be secured with an SSL certificate. If you want to generate a CSR code for a Wildcard certificate use an asterisk in front of the domain (for instance, *.yourdomain.com)
- Organization: Legally registered company name
- Organization Unit: Division or department of the organization that applies for an SSL certificate
- Locality: City where the company is located
- State: State or region where the company is located
- Country: Two-letter ISO code of the country where the company is located.
- Email address: E-mail address of the organization applicant.
- Key size: Size of the public and private keys. The minimum possible value is 2048-bit. 4096-bit CSR codes generated on Linux servers are supported as well.
What is the format of the CSR code?
A CSR code is a Base-64 block of text framed with -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- tags. Below, you can see how a 2048-bit key CSR code looks like:
How can I check the details included in the CSR code?
To check the information used for the CSR code generation, you can decode the CSR code using one of the tools below:
The CSR code can be also decoded with Linux command line using the following command:
openssl req -in server.csr -noout -text
How can I generate a CSR code?
In most cases, a Certificate Signing Request is generated by the web hosting company on the server the certificate is going to be installed on. If you have your own server or independent software, you may refer to the server documentation or check CSR generation instructions.