A Certificate Signing Request or CSR is a specially formatted underdeveloped public key that is used for enrollment of an SSL Certificate. The information on this CSR is important for a Certificate Authority (CA). It is needed to validate the information required to issue a SSL Certificate.
The public key (CSR) is freely given away by the server system or administrator so that the respective party can perform encryption.
When it comes to enrolling for a SSL/TLS server certificate from a CA there comes standards set by the CA|B Forum and Various RFC’s from the IETF (Internet Engineering Task Force). Some of these standards include…
- Not accepting or issuing certificate with anything less than 2048 bits,
- No SHA1/MD5 Algorithm
- Certificates issued from CA’s will not contain a IP or a .local address
- Where the Acceptable Wildcard “*” on a certificate can be placed Example: *.domain.com not *.*.domain.com.
- RFC1035 from IETF for example lists acceptable characters on issued certificates no “_” (underscore) or ” ” (Space)
- No special characters like @#$%& on the common name of the CSR or issued certificate (Example: abc_123.domain.com).
- A “-” (dash) of course is acceptable.
Some CA’s will automatically deny any enrollment of a CSR that fits outside the standards of the industry.
Creation of a CSR also means you are creating your private key. The private key will always be left on the system or application where the CSR is generated. The special key is usually always password protected unlike the CSR/ Public Key. The Private key will be required later for installation, and will only work with its unique public key.
A CSR must contain the Following information:
- Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Massachusetts
- Locality or City: The Locality field is the city or town name, for example: Boston. Do not abbreviate. For example: Saint Louis, not St. Louis
- Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit: The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
- Common Name: The fully-qualified domain name, or URL, you’re securing. for example “www.domain.com.” If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.domain.com.
Note: You might be prompted on some server systems or applications to associate a password for your CSR. Leave this blank or bypass it by pressing Enter depending on the system. Associating a password with your CSR is pointless as it is the part of encryption that is freely given to clients during an SSL Handshake. In addition, a password will encrypt the CSR and will cause issues with enrollment. If this happens you will have to regenerate another CSR without a password.
Certificate Signing Request instructions can be found at the following article: CSR Generation Instructions (All Systems)
If you do not see your server listed Perform a search or you may have to contact your server vender or hosting provider for best practices on how to generate a Certificate Signing Request on your system.
To check the information of your Certificate Signing Request visit the SSL Tools CSR Checker.