Understanding CSRs: The Key to Obtaining SSL Certificates

Unlock the secrets of CSRs (Certificate Signing Requests)! Learn what they are, why they're important, and how to generate one for your web server. This crucial step paves the way for securing your website with an SSL certificate.

What is a CSR?

A CSR is an encoded message submitted by an applicant to a CA to request an SSL certificate. It contains a public key and the applicant's information, such as:

  • FQDN (Fully Qualified Domain Name)
  • Organization name
  • Address

The CA validates this information and issues an SSL certificate with the public key included in the CSR.

A CSR is typically generated on the web server where the SSL certificate will be installed, though it can also be generated using SSL tools or modern browsers like Chrome or Firefox. The most common format for CSRs is the PKCS #10 specification.

A CSR is a Base64 ASCII encoded message starting with "-----BEGIN NEW CERTIFICATE REQUEST-----" and ending with "-----END NEW CERTIFICATE REQUEST-----". Below is a sample CSR:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIERzCCAy8CAQAwZzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQH
DAhuZXcgeW9yazEPMA0GA1UECgwGbXkgb3JnMQswCQYDVQQLDAJJVDEaMBgGA1UE
AwwRd3d3Lm15d2Vic2l0ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCfvbkuJwMiwOwgvRAV1XS/HZFGH0I6/p2NyOn7onb8uEV3cMFf4iCzBN6Z
KJD92qVtmZSBpH9IQrYiEohTxkgJ2c/dyX06eDVS7nE53etPOZCM8VvJOq/7PDo+
7Kvy6jhQVU7Rb1mQrFcrU0GVOQWWqqtpHwbeKPfJ3mRlPNzygmXAUXkv0XdstQPm
b5sVx965SGoIgrRUDpl+UNUcE198AVPEiDUg1VqY+mUmyOcvCkO153UtxDUMoocg
S5WlfD83We35a7I6+FAvDKKk31gv6Jxfs/EzZ6D0iiytDMAWNRwDvaYcu06O8Ye/
rt9mFF90XsMMn7xi0cuCaLzG7JrJAgMBAAGgggGZMBoGCisGAQQBgjcNAgMxDBYK
Ni4xLjc2MDEuMjA1BgkrBgEEAYI3FRQxKDAmAgEFDAdkZWxsLVBDDAtkZWxsLVBD
XERldgwLSW5ldE1nci5leGUwcgYKKwYBBAGCNw0CAjFkMGICAQEeWgBNAGkAYwBy
AG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0
AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgMBADCBzwYJKoZIhvcN
AQkOMYHBMIG+MA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATB4
BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAw
BAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBS4T+amOyNS+ECWfIxw
eBUR+XRv+TCTfXvFRiQ35T960o79JqJZpaD+PS9HNghqS05ldsrA/p/n/1rG9T+n
1a6jTj6BEwOLaTfUWlq8KtkkYiROOC9LqhQCn84PQuO3L9clLrsV//1C4hGkFUbG
-----END NEW CERTIFICATE REQUEST-----

Generate a CSR

You can generate a CSR using any web server. Here, we will demonstrate how to generate a CSR using IIS 7.

  1. Click Start -> All Programs -> Administrative Tools -> Internet Services Manager.
  2. In the Internet Information Services (IIS) Manager window, select your server and double-click Server Certificates.
  3. From the Actions panel on the right, click Create Certificate Request....
  4. In the Request Certificate dialogue box, fill in the information as specified below and click Next:
    • Common name: The fully-qualified domain name (FQDN) (e.g., www.mywebsite.com).
    • Organization: Your company's legally registered name (e.g., My Company).
    • Organizational unit: The name of your department within the organization, usually listed as "IT".
    • City/locality: The city where your company is legally located.
    • State/province: The state/province where your company is legally located.
    • Country/region: The country/region where your company is legally located. Use the drop-down list to select your country.
  5. On the Cryptographic Service Provider Properties page, select Microsoft RSA SChannel Cryptographic Provider as the cryptographic service provider and select 2048 bit length from the dropdown, then click Next.
  6. Provide the path and the name of the CSR file. (If you enter a filename without specifying a location, your CSR will be saved to C:\Windows\System32.)
  7. Click Finish. This will generate a CSR in the specified file. The generated CSR will look similar to the sample provided above, though it will be different on your local server.

If you are using a different web server, visit The SSL Store's knowledge base and click on the link for your web server to learn how to generate a CSR for your server.

Public Key and Private Key

A CSR includes a public key generated by the web server where the SSL certificate will be installed. When the CSR is generated, the web server creates a key pair: a public key and a private key. The CSR includes the public key and the private key is stored securely on the server. The private key will be used when installing the certificate on the web server.