What is a Certificate Signing Request (CSR)

Before an SSL Certificate is issued for a domain, the certificate requester (you) must create a Certificate Signing Request (CSR) for the domain name or hostname on your web server which you want to enable HTTPS for.

Recommended read: what is a Certificate Authority (CA):


The CSR is a standardized way to send the issuing CA your public key, which is paired with a secret private key on the server, and provides relevant information about the requester as indicated below:

Common Name (CN):
This is the Fully Qualified Domain Name (FQDN) of your server (i.e. google.com). This must match exactly what you type in your web browser or you may receive a security error.

Organization Name (O):
The legal name of your company/organization (i.e. Google, Inc.). Do not abbreviate your company name and it should include the corporate identifier such as Inc., Corp, or LLC (if applicable). For DV orders, you can use your personal name (i.e. John Doe).

Organization Unit (OU):
The unit or division of the company/organization managing the certificate (i.e. IT Department).

Locality (L):
The city that you are located in (i.e. Mountain View)

State or Province Name (ST):
The state or province in which you are located in (i.e. California)

Country (C):
The country in which you are located in (i.e. United States or US)

Email Address:
An email address associated with the company (i.e. [email protected])

Root Length:
The bit-length of the key pair determines the strength of the key and how easily it can be cracked using brute force methods. 2048-bit key size is the new industry standard and is used to ensure security well into the foreseeable future.

Signature Algorithm:
Hashing algorithm are used by issuing Certificate Authorities to actually sign certificates and CRLs (Certificate Revocation List) to generate unique hash values from files. It is highly recommended that your certificate be signed with SHA-2 as this is the strongest signature algorithm adopted by the industry.

As mentioned above, in addition to creating a CSR, the web server will also export another file called a private key. The private key is a unique cryptographic key related to the corresponding CSR and should never be shared with anyone outside your secured server environment. The private key is mathematically used to decrypt whatever sensitive data that’s transmitted and encrypted with its corresponding public key and vice versa. If the private key is lost or compromised, malicious users could potentially read your encrypted communications and put your organization’s reputation at risk, which defeats the entire methodology behind the Public Key Infrastructure (PKI). If the private key is lost or compromised, we highly recommend creating a new key pair and replacing or reissuing your SSL Certificate.

Example CSR


You can verify the validity of your CSR code using this tool before the sending the CSR to the Certificate Authority:


Was this answer helpful? 0 Users Found This Useful (0 Votes)