A Certificate Signing Request (CSR) file is something you generate and give to a Certificate Authority, who in turn signs and sends you the requested SSL certificate that used for enabling HTTPS on your web server.
What Makes Up a CSR File?
CSR files contain information on your organization and the type of certificate you’re requesting. They’re usually generated automatically with the help of a utility like OpenSSL. If you’re using LetsEncrypt, CSR file creation is all managed by certbot for you.
CSR files contain the following info:
- Common Name (CN) – Your server’s hostname. It must match exactly, or your users will see an error page in their browser saying the certificate is untrusted. You can use wildcards (e.g.,
*.domain.com) to request a wildcard certificate applying to all subdomains. A wildcard like this applies to
www, but if you’re looking to secure your root domain and all subdomains, you’ll need two separate certificates. Common Name is the only field that is technically required, so you could leave everything else blank if you desired. However, it’s good to fill out the others.
- Organization (O) – The full legal name of your company, including any suffixes such as LLC. If you’re requesting an EV or OV certificate (which are entirely pointless), it will need to be validated. For a normal SSL though, you can put whatever, as it’s not checked and nor even required.
- Organizational Unit (OU) – The division of your company that is handling the certificate.
- Country (C) – The two-letter country code of the country you’re located in.
- State/County/Region (S) – The full name of the state you’re located in.
- City/Locality (L) – The full name of the city you’re located in.
- Email Address – Your organization’s email address.
- The RSA public key used
The only one that affects how your CSR file is processed is your common name. The domain name will need to be validated to prevent you from registering someone else’s domain; you’ll be given a challenge from the Certificate Authority later in the process to prove you own the domain, but the CSR file has no effect on that.
The actual CSR file itself is in PEM format, and is a large chunk of base64 encoded data:
-----BEGIN CERTIFICATE REQUEST----- MIICYDCCAUgCAFAwGzEZMBcGA1UEAwwQKi5wcm92aWRlbmNlLnBlbTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALA3vPkQJejmFk20mZT/J2995ibnz9MV 2hd+ltxX0gS9/rDZgGZA8nyPojpXVJbLxJ5PuSqmyZrDA2F3YvCwy13b7QZT/f56 mH3103cVaefhfy+Lc7JSJZtJkw6mVBz9Vz+cpmc3hm0DV3tIZW4L8DKYVQoWl3Ed N0nsHykoI02ZoVdDL+AZU6sNJ2LV9j0LuS2YZkGU7PHsij2W2zROtyL7HdnZp5m6 6e8e6ro9uBoCHBVSEeCDgBHLVQ92IRzPTzpSDr7dYhA2YHPbrjt6T63IgwiR4CU0 2Iq282KasNw1jkyIil9/5GPsqHH5Fw0Le/7Goqrk2Ez3zHwu7pv88AkCAwEAAaAA MA0GCSqGSIb3DQEBCwUAA4IBAQADq9KOCkyLNA7t6RDPatw006CR8zETGqlfnQ2h jxjDZlBWZbAVg6ftEMawxuKRbfw1bmJn53QSMpeX5HiMQLHliw3vsoIsRMPbwdxr j2ydJhYO95ktk4JRvD3/YR8hRYrGD4EYlsC+u1RwWTXXZ9ZjTvDtf4LZccKAysOW vM88R3pWCpDzTg4KWDw1jsq7Y9ISTYuBkd7d+d7GvK/VxITx8kSAgJRGkd54nlet pZdBwdY95Jg0AyecAE5GSNPiHmRTkm/rTXIPOyGY1kO9Mk/c+q+ZTEhH53v5bzUw yrLZuJkNL3KiNbZIWvQ3ljHNeM3+9437n4W3nDTcGL2Bi41n -----END CERTIFICATE REQUEST-----
You won’t want to edit this manually though; instead, you can use a tool like OpenSSL to generate it on your server.
How to Create a CSR File
If your server is running Linux, you’ll likely have OpenSSL installed already if you’ve installed Apache or Ubuntu. If not, you can install it from your distro’s package manager:
sudo apt-get install openssl
Then, run the following command to launch the CSR creation wizard:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
This will generate a new private key to use during the process and save it to
server.key. You’ll then be prompted for your info; you can leave most of it blank if you wish, but make sure the Common Name is correct.
Your signing request will be saved to
server.csr. Your public key is included in this request, but you’ll want to save the private key for renewals in the future.
You’ll then need to provide your Certificate Authority with the CSR file to proceed with the SSL certificate creation process. If you’re using certbot, this is handled automatically, and you won’t have to worry about CSR files at all.