This guide shows you how to generate a CSR (Certificate Signing Request) in Plesk. The steps below follow current Plesk Obsidian (18.x), which is the supported release line. Plesk creates both the CSR and its matching private key for you, and stores the key on the server inside the certificate entry, so all you need to send to the Certificate Authority is the CSR text. You will use the same entry later to upload the issued certificate.
There are two places a CSR can live in Plesk: on a specific domain (the usual case, for a website certificate) or at the server level (for the Plesk panel itself and the mail services). The bulk of this guide covers the per-domain flow, which is what you want for almost every order. The server-level flow is at the end.
Generate a CSR for a domain in Plesk Obsidian
If you already generated your CSR, skip ahead to how to install an SSL certificate in Plesk.
The screens below apply whether you are signed in as Server Administrator, Reseller, or Customer. The only difference is the top-level menu label: Server Administrators and Resellers see Domains, customer accounts see Websites & Domains. Everything from SSL/TLS Certificates onward is identical.
Step 1: Open the SSL/TLS Certificates panel for your domain
- Sign in to Plesk.
- In the left menu, click Domains (or Websites & Domains on a customer account) and select the domain you want the certificate for.
- Click SSL/TLS Certificates.
- On the SSL/TLS Certificates screen, click Advanced Settings (this opens the per-domain certificate store, which is where manual certificates and CSRs live).
- Click Add SSL/TLS Certificate.
Plesk also exposes a SSL It! panel on the same screen for free, auto-renewing Let’s Encrypt certificates. SSL It! does not produce a CSR you can hand to a public CA; if you want a Let’s Encrypt certificate issued in-place, use SSL It! directly. To order from a commercial CA (DV, OV, EV, wildcards, longer warranty, SAN coverage), stay on the Advanced Settings path covered here.
Step 2: Fill in the CSR form
Plesk now shows the Add SSL/TLS Certificate form. The values you enter here are baked into the CSR and signed by the CA, so use accurate information that matches your domain registration and, for OV or EV orders, your legal company record. Required fields:
- Certificate name: any label that helps you find this entry later, for example example.com 2026. The CA never sees this; it is internal to Plesk.
- Bits: pick the RSA key size. 2048 is the modern minimum and is what most CAs expect; 4096 is also accepted and gives a larger key at the cost of slightly slower handshakes. Avoid 1024, which has been disallowed by public CAs for years.
- Country: the two-letter ISO country code for the organization that owns the domain.
- State or province: the full name, not an abbreviation (for example, Florida, not FL).
- Location (city): the city where the organization is registered (for example, Miami).
- Organization name (company): for OV or EV certificates, the exact legal name of the company (for example, GPI Holding LLC). For a Domain Validation (DV) certificate, you can enter your full name or the website name; the CA does not vet this field for DV.
- Organization department or division name (OU): optional. Most public CAs no longer print the OU on issued certificates (per CA/Browser Forum rules), so it is safe to leave blank.
- Domain name: the Fully Qualified Domain Name (FQDN) you want the certificate to cover, for example www.example.com. For a wildcard certificate, prefix the apex with an asterisk and a dot: *.example.com. This value becomes the certificate Common Name.
- Email: optional, and not used by public CAs for domain validation anymore. You can leave it blank.
The Plesk form does not have a Subject Alternative Names (SAN) field. Plesk creates a single-name CSR, and any extra host names you need to cover (apex plus www, a Multi-Domain or wildcard, mail subdomains) are added by the CA at issuance based on what you select in the order form. If you need a true multi-name CSR generated locally, generate it with OpenSSL or with our CSR Generator and upload it during the install.
Step 3: Generate and copy the CSR
Double-check the values, then click Request. Plesk generates the CSR and the matching private key on the server, then returns you to the SSL/TLS Certificates list.
To view the CSR, click the name of the certificate entry you just created. The detail page shows two PEM blocks: the CSR and the Private key. Copy the entire CSR block, including the opening and closing markers (five hyphens on each side, not em dashes):
-----BEGIN CERTIFICATE REQUEST-----
MIIC...
...
-----END CERTIFICATE REQUEST-----
Paste the CSR into the SSL order form during checkout. The CA validates the request and issues your certificate; you do not need to download or back up the private key separately because Plesk keeps it inside the same certificate entry. When the CA returns the issued certificate and CA chain, come back to this same entry and use it to install the certificate in Plesk.
Verify the CSR before you submit it
A CSR with the wrong Common Name, country code, or key size means the CA will reject the order or issue a certificate that does not match the host you intended to cover. Before you paste it into the order form, decode the CSR and confirm the values: paste the block into our CSR Decoder and check the Common Name, organization, country, and bit size against what you typed in Plesk.
Generate a CSR for the Plesk panel or mail server
The CSR above is for a hosted website. The Plesk control panel URL (port 8443) and the mail services (IMAPS, POP3S, SMTPS) use a separate server-level certificate. The CSR for that one lives in a different place:
- Sign in to Plesk as Server Administrator.
- Go to Tools & Settings, then under Security click SSL/TLS Certificates.
- Click Add SSL/TLS Certificate and fill in the same form as Step 2 above. The Domain name field is the host name visitors use to reach Plesk (for example plesk.example.com) or the mail host name.
- Click Request. Open the new entry and copy the CSR block the same way as for a domain.
Submit the server-level CSR to the CA exactly the same way. When the issued certificate arrives, you upload it back into this same entry under Tools & Settings > SSL/TLS Certificates, then bind it to the Plesk panel and the mail server from the same screen.
Free alternative: SSL It! (Let’s Encrypt)
If you do not need OV, EV, or a longer warranty, the SSL It! extension that ships with Plesk Obsidian issues free Let’s Encrypt certificates and renews them automatically before expiry. There is no CSR to generate by hand: open the domain in Plesk, click SSL/TLS Certificates, click Install under Let’s Encrypt, choose the host names you want covered, and confirm. Plesk handles the request, the key, the chain, and the assignment in one pass.
Use the manual CSR flow earlier on this page when you need a commercial certificate from a public CA.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


