X
Popular Searches

What Are CSR Files and How Do You Create Them?

A Certificate Signing Request (CSR) file is something you generate and give to a Certificate Authority, who in turn signs and sends you the requested SSL certificate that used for enabling HTTPS on your web server.

What Makes Up a CSR File?

CSR files contain information on your organization and the type of certificate you’re requesting. They’re usually generated automatically with the help of a utility like OpenSSL. If you’re using LetsEncrypt, CSR file creation is all managed by certbot for you.

CSR files contain the following info:

  • Common Name (CN) – Your server’s hostname. It must match exactly, or your users will see an error page in their browser saying the certificate is untrusted. You can use wildcards (e.g., *.domain.com) to request a wildcard certificate applying to all subdomains. A wildcard like this applies to www, but if you’re looking to secure your root domain and all subdomains, you’ll need two separate certificates. Common Name is the only field that is technically required, so you could leave everything else blank if you desired. However, it’s good to fill out the others.
  • Organization (O) – The full legal name of your company, including any suffixes such as LLC. If you’re requesting an EV or OV certificate (which are entirely pointless), it will need to be validated. For a normal SSL though, you can put whatever, as it’s not checked and nor even required.
  • Organizational Unit (OU) – The division of your company that is handling the certificate.
  • Country (C) – The two-letter country code of the country you’re located in.
  • State/County/Region (S) – The full name of the state you’re located in.
  • City/Locality (L) – The full name of the city you’re located in.
  • Email Address – Your organization’s email address.
  • The RSA public key used

The only one that affects how your CSR file is processed is your common name. The domain name will need to be validated to prevent you from registering someone else’s domain; you’ll be given a challenge from the Certificate Authority later in the process to prove you own the domain, but the CSR file has no effect on that.

The actual CSR file itself is in PEM format, and is a large chunk of base64 encoded data:

-----BEGIN CERTIFICATE REQUEST-----
MIICYDCCAUgCAFAwGzEZMBcGA1UEAwwQKi5wcm92aWRlbmNlLnBlbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALA3vPkQJejmFk20mZT/J2995ibnz9MV
2hd+ltxX0gS9/rDZgGZA8nyPojpXVJbLxJ5PuSqmyZrDA2F3YvCwy13b7QZT/f56
mH3103cVaefhfy+Lc7JSJZtJkw6mVBz9Vz+cpmc3hm0DV3tIZW4L8DKYVQoWl3Ed
N0nsHykoI02ZoVdDL+AZU6sNJ2LV9j0LuS2YZkGU7PHsij2W2zROtyL7HdnZp5m6
6e8e6ro9uBoCHBVSEeCDgBHLVQ92IRzPTzpSDr7dYhA2YHPbrjt6T63IgwiR4CU0
2Iq282KasNw1jkyIil9/5GPsqHH5Fw0Le/7Goqrk2Ez3zHwu7pv88AkCAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQADq9KOCkyLNA7t6RDPatw006CR8zETGqlfnQ2h
jxjDZlBWZbAVg6ftEMawxuKRbfw1bmJn53QSMpeX5HiMQLHliw3vsoIsRMPbwdxr
j2ydJhYO95ktk4JRvD3/YR8hRYrGD4EYlsC+u1RwWTXXZ9ZjTvDtf4LZccKAysOW
vM88R3pWCpDzTg4KWDw1jsq7Y9ISTYuBkd7d+d7GvK/VxITx8kSAgJRGkd54nlet
pZdBwdY95Jg0AyecAE5GSNPiHmRTkm/rTXIPOyGY1kO9Mk/c+q+ZTEhH53v5bzUw
yrLZuJkNL3KiNbZIWvQ3ljHNeM3+9437n4W3nDTcGL2Bi41n
-----END CERTIFICATE REQUEST-----

You won’t want to edit this manually though; instead, you can use a tool like OpenSSL to generate it on your server.

How to Create a CSR File

If your server is running Linux, you’ll likely have OpenSSL installed already if you’ve installed Apache or Ubuntu. If not, you can install it from your distro’s package manager:

sudo apt-get install openssl

Then, run the following command to launch the CSR creation wizard:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

This will generate a new private key to use during the process and save it to server.key. You’ll then be prompted for your info; you can leave most of it blank if you wish, but make sure the Common Name is correct.

To write a new private key, you'll be prompted to enter your information that will be incorporated into your certificate request.

Your signing request will be saved to server.csr. Your public key is included in this request, but you’ll want to save the private key for renewals in the future.

You’ll then need to provide your Certificate Authority with the CSR file to proceed with the SSL certificate creation process. If you’re using certbot, this is handled automatically, and you won’t have to worry about CSR files at all.

Anthony Heddings Anthony Heddings
Anthony Heddings is the resident cloud engineer for LifeSavvy Media, a technical writer, programmer, and an expert at Amazon's AWS platform. He's written hundreds of articles for How-To Geek and CloudSavvy IT that have been read millions of times. Read Full Bio »

The above article may contain affiliate links, which help support CloudSavvy IT.