Website encryption is mandatory nowadays, and the way to enable it is by installing an SSL certificate on your server. But before you get the certificate from the certificate authority (CA), you must generate a CSR (Certificate Signing Request) code and send it to the CA for validation. This in-depth guide reveals what is a certificate signing request and how to create it when applying for an SSL certificate.
Table of Contents
- What is CSR in SSL
- What is a CSR file?
- What information is included in the CSR?
- What does CSR look like?
- Where to get a CSR for SSL?
- How to generate a CSR key for SSL certificates?
- What to do with the CSR file?
- Where do I find the CSR for my SSL certificate?
- How to open and read a CSR file?
- Frequently Asked Questions
- Final Thoughts
What is CSR in SSL?
A Certificate Signing Request or CSR is a block of encrypted text with the contact information (domain, company name, country, etc.) that an SSL applicant must submit to the Certificate Authority (CA) for validation. The CA uses the details within CSR to authenticate the applicant’s identity and issue the SSL certificate.
Before we begin explaining the ins and outs of a CSR file or CSR certificate, as some users call it, let’s see why you need it in the first place. As you may already know, an SSL certificate is a small digital file that encrypts communications between two computer applications over a network. It follows the TLS cryptographic protocol to secure sensitive data shared between browsers and servers.
But that’s just one side of the SSL coin. How do you know that the encrypted website belongs to a genuine entity? You don’t unless a third-party body verifies and validates it. Here’s where Certificate Authorities intervene to check the authenticity and trustworthiness of a domain and organization.
When you request an SSL Certificate, CAs ask you to submit your contact details as part of the vetting process and industry-standard guidelines. That’s what CSR in SSL is all about.
What is a CSR file?
The CSR file is an encoded text document with the .csr extension that contains sensitive data about your website, domain, and organization. It also includes your public key and signature that help browsers verify your identity and establish a secure connection during the SSL handshake.
What is the CSR file name?
Many users wonder if the CSR file name affects CSR generation and SSL installation. The system on which you create the certificate signing request will usually determine the name. By default, the CSR name is the domain you want to secure. For instance, yourdomain. csr. However, some platforms may require it to bear the server name (servername.csr), while other clients allow you to pick any name for the file.
What information is included in a CSR?
Now that you know what is a certificate signing request, let’s see what details the CAs require you to submit in the CSR. Whether you use a certificate signing request generator, a hosting panel, or the OpenSSL utility, the info you have to enter is the same. Here’s a typical CSR submission form:
- Common Name: enter the FQDN (fully qualified domain name) you want to secure. For example, yourdomain.com. If you have a wildcard certificate, add an asterisk in front of your domain name. For instance, *.yourdomain.com.
- Organization Name: specify the official name of your organization. For example, Your Company LLC. If you have a Domain Validation certificate, type NA instead.
- Organizational Unit: type the name of the department making the request. Usually, it is IT or Web Administration. If you have a Domain Validation certificate, enter NA instead.
- Locality or City: submit the full name of the city where your organization is located. For example, San Francisco.
- State or Province: write the full name of the state where your organization is registered. For example, California.
- Country Name: provide the two-letter code of your country. For example, the US.
- Email address: provide a valid email address.
- Key Length: 2048-bit is the default option.
After you fill in the details, it’s usually wise to double-check them and avoid future issues related to inaccurate data.
What does CSR look like?
When you open the CSR file with any text editor of your choice, like Notepad, for instance, you will see a random string of characters nested between the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– tags. The first and last lines will always be the same, while the content inside them will be unique for each CSR. Here’s an example of what a CSR looks like:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
The CSR for SSL generally uses Base-64 encoding, a standard format for displaying binary data in ASCII text. ASCII stands for American Standard Code for Information Interchange, a character encoding system that assigns a unique number to every character in the alphabet.
Where to get a CSR for SSL?
Since all commercial SSL certificates require CSR generation, you can create your CSR file in several ways. But before you generate it, ensure your server supports the selected method. On some systems, you can do it only internally, while other platforms allow you to import CSR files generated externally.
How to generate a CSR for SSL externally?
The quickest and easiest way to obtain your CSR is with the help of a certificate signing request generator. Such a tool automatically generates the CSR and the private key for your SSL Certificate. You also receive backup files via email.
How to create a CSR for SSL internally?
Almost all servers allow you to create the CSR manually on the system you host the website. When you generate the CSR internally, you don’t have to upload the file on the platform, as it’s already in the correct directory.
The drawback of this method is that it requires extra knowledge and is more suitable for experienced sys admins. We’ve written CSR generation tutorials for over 50 servers and email clients, so even if you’re a novice, they will walk you through the process step by step.
How to generate a CSR key for SSL certificates?
Along with the CSR cert, you will create your private key file with the .key extension. The server or the external CSR generator tool creates both files simultaneously. No additional action is required other than specifying your key length and password if prompted.
Similarly to the CSR file, the private key will reside on the server you generate it, and you’ll have to upload it only if you create the CSR externally. Learn more about the private key formats and best storage practices.
What to do with the CSR file?
Once the CSR file is ready, your next step is to send its contents to the Certificate Authority. But before you proceed with this step, open the CSR with any text editor and make sure the encoded text begins and ends with the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—–tags.
Here’s how to submit the CSR to a certificate authority:
On your SSL vendor’s order page, you will fill out a form with your personal and company information and add your CSR code. Now, depending on the vendor, you will either upload the CSR file or paste the CSR contents in a relevant box. After the CA verifies and validates your CSR, you will receive the SSL certificate files via email.
Where do I find the CSR for my SSL certificate?
As we’ve already mentioned, the CSR resides on the server where it was created. As such, different systems will have specific default locations for the CSR certificate.
For instance, on the Official Red Hat Linux Professional server, the CSR is in the /etc/httpd/conf/ssl. csr directory.
On Windows, if you enter a filename without specifying a location, your CSR will go to C:\Windows\System32.
How to open and read a CSR file?
To open a CSR file, use any text editor of your choice. But opening it alone won’t reveal the encoded CSR information. Only by decoding it, you’ll be able to check if the information inside corresponds with the one you entered during CSR generation.
How to decode a CSR file?
The simplest way to decode a CSR file is using a CSR decoder. Such a tool will convert the encoded data into plain text so that you can see what each field represents. Decoding the CSR is extremely helpful when you’re not sure about the data accuracy and want to make sure it is correct.
Alternatively, you can decrypt the CSR contents with OpenSSL.
Run the command below:
openssl req -in test.csr -text -noout
Here’s what a part of the output will look like:
Version: 1 (0x0)
Subject: C = US, O = Your Company, OU = Your Organization Unit, CN = yourdomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (512 bit)
Frequently Asked Questions
1. What is a Certificate Signing Request used for?
The CSR is a small block of encoded text with your contact data required by the CA to verify your credentials before issuing the SSL certificate.
2. What does signing a certificate mean?
When an SSL certificate is signed it means a Certificate Authority looked at the SSL applicant and decided that the information provided in the CSR (Certificate Signing Request) is correct and legitimate.
3. How long is a certificate signing request valid?
On some systems like Aruba ClearPass, the certificate signing request is valid for only 15 days. While this may be an extreme example, your SSL certificate, which lasts one year, should determine the CSR validity. When renewing your SSL certificate, you should generate a new CSR code to keep your information up to date and adhere to the best security practices.
4. Is Certificate Signing Request confidential?
No, the CSR is not confidential, as it has no value other than helping the CA sign your SSL Certificate. And, while it does not contain any encryption keys, you should keep it to yourself. Sharing it with third parties or in public spaces like forums and websites will draw unnecessary attention to your sensitive details.
“What is a certificate signing request?” is one of the most common questions users ask when dealing with SSL certificates. Hopefully, this guide has cleared any misconceptions about the CSR file and its purpose. The CSR is an indispensable part of SSL Certificate configuration and functioning. You must generate it every time you order a new SSL cert or renew your existing one.
Image by vectorjuice on Freepik