Certificate Signing Request

13 Dec 2019 in

What is a Certificate Signing Request (CSR)?

For those of you who are new to SSL, or even you veterans who just want to brush up on your knowledge, we’re starting a series on SSL basics. First up are certificate signing requests (CSRs). These little files are a critical part of applying for an SSL Certificate, but what are they exactly and how can you generate one?

A certificate signing request (CSR) is one of the first steps towards getting your own SSL Certificate. Generated on the same server you plan to install the certificate on, the CSR contains information (e.g. common name, organization, country) the Certificate Authority (CA) will use to create your certificate. It also contains the public key that will be included in your certificate and is signed with the corresponding private key. We’ll go into more details on the roles of these keys below.

 

What Information Is Included in a CSR?

 

The CA will use the data from the CSR to build your SSL Certificate. The key pieces of information include the following.

1. Information about your business and the website you’re trying to equip with SSL, including:

Common Name (CN)
e.g. *.example.com, www.example.com

The fully qualified domain name (FQDN) of your server.

Organization (O)
The legal name of your organization. Do not abbreviate and include any suffixes, such as Inc., Corp., or LLC.

For EV and OV SSL Certificates, this information is verified by the CA and included in the certificate.

Organizational Unit (OU)
The division of your organization handling the certificate.

City/Locality (L)
The city where your organization is located. This shouldn’t be abbreviated.

State/County/Region (S)
The state/region where your organization is located. This shouldn't be abbreviated.

Country (C)    
The two-letter code for the country where your organization is located.

Email Address    
An email address used to contact your organization.

 

2. The public key that will be included in the certificate. SSL uses public-key, or asymmetric, cryptography to encrypt transmitted data during an SSL session. The public key is used to encrypt and the corresponding private key is used to decrypt.

3. Information about the key type and length. The most common key size is RSA 2048.

 

What Does a CSR Look Like?

The CSR itself is usually created in a Base-64 based PEM format. You can open the CSR file using a simple text editor and it will look like the sample below. You must include the header and footer (-----BEGIN NEW CERTIFICATE REQUEST-----) when pasting the CSR.

-----BEGIN NEW CERTIFICATE REQUEST-----MIIDVDCCAr0CAQAweTEeMBwGA1UEAxMVd3d3Lmpvc2VwaGNoYXBtYW4uY29tMQ8w DQYDVQQLEwZEZXNpZ24xFjAUBgNVBAoTDUpvc2VwaENoYXBtYW4xEjAQBgNVBAcT CU1haWRzdG9uZTENMAsGA1UECBMES2VudDELMAkGA1UEBhMCR0IwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAOEFDpnOKRabQhDa5asDxYPnG0c/neW18e8apjOk 1yuGRk+3GD7YQvuhBVS1x6wkw1D2RnmnZgN1nNUK0cRK7sIvOyCh1+jgD7u46mLk 81j+b4YSEmYZGPLIuclyocPDm0hXayjCUqWt7z6LMIKpLym8gayEZzz9Gn97PsbP kVFBAgMBAAGgggGZMBoGCisGAQQBgjcNAgMxDBYKNS4xLjI2MDAuMjB7BgorBgEE AYI3AgEOMW0wazAOBgNVHQ8BAf8EBAMCBPAwRAYJKoZIhvcNAQkPBDcwNTAOBggq hkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMH MBMGA1UdJQQMMAoGCCsGAQUFBwMBMIH9BgorBgEEAYI3DQICMYHuMIHrAgEBHloA TQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMA cgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIDgYkAk0kf HSkr4jsEVya3mgUoyaYMO456ECNZr4Cb+WhPgexfjOO5qwOG1oDOTaKycrkc5pG+ IPBQnq+4cotT8hWJQwpc+qGb8xUETpxCokhrhN5079vFXq/5dsHkmtOTwkSqSnz9 yruVoxYeDQ8jI3KG3HTgxwFto8oZnm+E+Y4oshUAAAAAAAAAADANBgkqhkiG9w0B AQUFAAOBgQAuAxetLzgfjBdWpjpixeVYZXuPZ+6jvZNL/9hOw7Fk5pVVXWdr8csJ 6JUW8QdH9KB6ZlM4yg8Df+vat1/DG6GuD2hiIR7fQ0NtPFBQmbrSm+TTBo95lwP+ ZSZTusPFTLKaqValdnS9Uw+6Vq7/I4ouDA8QBIuaTFtPOp+8wEGBHQ==
-----END NEW CERTIFICATE REQUEST-----

 

Creating csr with openssl is very easy

openssl req -new -newkey rsa:2048 -nodes -out onessl_net.csr -keyout onessl_net.key -subj "/C=US/ST=CA/L=Los Angeles/O=SSL/OU=OoneSSL.Net/CN=onessl.net"

You will see there are 2 files created

onessl_net.key

onessl_net.csr

onessl_net.csr is your csr send to us.

onessl_net.key is your private key deploy on your server, the private key is very important and it is recommended to store it in a safe place.