A Certificate Signing Request (CSR) is an essential component of the SSL Certificate ordering process. It is a secure, encoded message that contains important details about the individual or organization requesting an SSL Certificate. The Certificate Signing Request (CSR) serves as the standard method for submitting Public Keys to Certificate Authorities (CAs).
Understanding Certificate Signing Requests (CSR) and their significance will simplify the application process and help ensure your SSL Certificate is issued without unnecessary delays.
The Certificate Signing Request (CSR) plays a fundamental role in Public Key Infrastructure (PKI) and acts as the initial step for requesting SSL Certificates. When you generate a Certificate Signing Request (CSR), a corresponding Private Key is also created.
The Private Key must be kept secure and must never be included in the Certificate Signing Request (CSR) or shared with the Certificate Authority (CA). Trustico® provides tools and services to help you generate and manage your Certificate Signing Request (CSR) efficiently.
Understanding Certificate Signing Requests (CSR)
A Certificate Signing Request (CSR) is a block of encoded text that contains the identifying information for the entity requesting an SSL Certificate. It is submitted to the Certificate Authority (CA) as part of the SSL Certificate application process.
The Certificate Authority (CA) uses the information contained in the Certificate Signing Request (CSR) to generate and issue the SSL Certificate.
The Certificate Signing Request (CSR) is encoded in Base-64 format. It typically begins with the header "-----BEGIN CERTIFICATE REQUEST-----" and ends with the footer "-----END CERTIFICATE REQUEST-----". The encoded text between these markers contains all of the subject information and the Public Key that will be associated with the SSL Certificate.
Once the SSL Certificate has been issued by the Certificate Authority (CA), the Certificate Signing Request (CSR) is no longer required. However, the Private Key that was generated alongside the Certificate Signing Request (CSR) must be retained. It is required during SSL Certificate installation and for the ongoing operation of the encrypted connection. Learn About The SSL Certificate Validation Procedure 🔗
Certificate Signing Request (CSR) Subject Fields
When generating a Certificate Signing Request (CSR), there are several key fields that identify the requestor and the domain being secured. Each field has specific requirements and character limits that must be followed for the Certificate Authority (CA) to accept the Certificate Signing Request (CSR).
Common Name (CN) identifies the Fully Qualified Domain Name (FQDN) for which the SSL Certificate is being requested. This is the complete domain name, such as www.yourdomain.com, and indicates the precise position within the Domain Name System (DNS).
The Common Name (CN) must exactly match the domain name you enter in your web browser, or visitors may encounter a security error. The Common Name (CN) field has a maximum length of 64 characters and may only contain the characters A through Z, a through z, 0 through 9, periods, and hyphens. The Common Name (CN) should not include the http:// or https:// prefix.
Organization Name (O) is the official legal name of the company or organization requesting the SSL Certificate. It is different from the Common Name (CN) and should include any corporate identifiers if applicable. The Organization Name (O) should always be spelled out in full and never abbreviated. This field has a maximum length of 64 characters.
For Domain Validation (DV) SSL Certificates, this field may be left blank or populated with a generic value, but it is required for Organization Validation (OV) and Extended Validation (EV) SSL Certificates.
Organization Unit (OU) represents the division or department within the organization that is responsible for managing the SSL Certificate. This field has a maximum length of 64 characters.
Locality (L) is the city or town where the organization is located. This field has a maximum length of 128 characters.
State or Province Name (ST) is the state or province where the organization is based. The full name should be used rather than an abbreviation. This field has a maximum length of 128 characters.
Country (C) is the two-character ISO 3166 country code for the country where the organization is located. For example, US for the United States, GB for the United Kingdom, or AU for Australia. A full list of accepted country codes is provided at the end of this page.
E-Mail Address is the e-mail address associated with the SSL Certificate owner. While this field is optional for many SSL Certificate types, it should be provided when available.
Additional fields that may be included in a Certificate Signing Request (CSR) are Street Address (up to three lines, each with a maximum length of 128 characters), Post Office Box (maximum length of 40 characters), and Postal Code (maximum length of 40 characters). These fields are typically only relevant for Organization Validation (OV) and Extended Validation (EV) SSL Certificates where the organization's physical address must be verified. Learn About Organization Validation (OV) SSL Certificates 🔗
Key Type and Key Size Requirements
The Certificate Signing Request (CSR) also contains information about the cryptographic key type and its length. The key type and size determine the strength of the encryption that the SSL Certificate will provide.
RSA is the most widely used key type for SSL Certificates. When using RSA, the minimum recommended key size is 2048 bits, and key sizes up to 8192 bits are supported by the Certificate Authority (CA). The Certificate Authority / Browser Forum (CA/Browser Forum) establishes the baseline requirements for key sizes, and RSA 2048-bit keys are considered the standard minimum for all publicly trusted SSL Certificates.
Elliptic Curve Cryptography (ECC) is an alternative key type that provides equivalent security to RSA at significantly smaller key sizes. This results in faster handshakes and reduced computational overhead. The supported Elliptic Curve Cryptography (ECC) curves for SSL Certificates are P-256, P-384, and P-521. Learn About RSA - DSA - ECC Encryption Algorithms 🔗
DSA is a third key type that uses a different mathematical approach, focusing on efficiency for verification and decryption. While DSA is less commonly used than RSA or Elliptic Curve Cryptography (ECC) for SSL Certificates, it remains a supported option in certain environments.
Important : The Private Key that is generated alongside the Certificate Signing Request (CSR) must be stored securely and must never be shared with anyone, including the Certificate Authority (CA). If the Private Key is lost, a new Certificate Signing Request (CSR) will need to be generated and the SSL Certificate will need to be reissued.
How to Generate a Certificate Signing Request (CSR)
A Certificate Signing Request (CSR) is required to order an SSL Certificate. The Certificate Signing Request (CSR) can be generated from within your hosting control panel, web server software, or server operating system software. The method used will depend on your server environment and the level of control you have over your hosting setup.
Trustico® provides a convenient online Certificate Signing Request (CSR) generation tool that allows you to generate both a Certificate Signing Request (CSR) and Private Key directly from your browser. Remember to store your generated files in a secure location after generating them. Generate Certificate Signing Request (CSR) Tool 🔗
Ordering Without a Certificate Signing Request (CSR)
If you do not have access to generate your own Certificate Signing Request (CSR), Trustico® may be able to assist by generating one on your behalf using the AutoCSR service. This convenient option means you will not require technical knowledge to complete your SSL Certificate order.
When using AutoCSR, sensitive files including the Certificate Signing Request (CSR) and Private Key are delivered in a password-protected archive file. A time-limited unlock code is available in your order details through the Trustico® tracking system. Learn About AutoCSR File Unlock Code 🔗
Generating a Certificate Signing Request (CSR) with OpenSSL
OpenSSL is a free command line tool that is widely used to generate Certificate Signing Requests (CSR). Its open-source nature and simplicity make it a popular choice among server administrators. Many people use OpenSSL to create Certificate Signing Requests (CSR) for Nginx and Apache web hosting environments.
OpenSSL is especially useful for creating Elliptic Curve Cryptography (ECC) Certificate Signing Requests (CSR). The following example of an OpenSSL single line command can be used to generate a new Certificate Signing Request (CSR) with a 2048-bit RSA key :
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
When prompted, you can input details for the Certificate Signing Request (CSR), such as the location, Organization Name (O), and Fully Qualified Domain Name (FQDN) for the Common Name (CN) field. Adding a passphrase to the Private Key is optional but can enhance security by requiring the passphrase each time the web server is restarted.
Generating a Certificate Signing Request (CSR) with Internet Information Services (IIS) Manager
Microsoft Internet Information Services (IIS) Manager provides a graphical interface for generating Certificate Signing Requests (CSR) on Windows Server environments. Start by opening the Connections page in Internet Information Services (IIS) Manager. Next, navigate to the Server Certificates section, then click on the Actions panel.
From there, you will find the Distinguished Name Properties page. This page includes a Request Certificate tool where you can enter the Fully Qualified Domain Name (FQDN) for the Common Name (CN) field and other necessary information such as the Organization Name (O), Locality (L), State or Province Name (ST), and Country (C).
Be sure to verify the bit length and the cryptographic service provider settings before submitting the request.
Certificate Signing Request (CSR) for Wildcard SSL Certificates
When generating a Certificate Signing Request (CSR) for a Wildcard SSL Certificate, the Common Name (CN) field must include an asterisk followed by a period and the domain name, such as *.yourdomain.com. The asterisk indicates that the SSL Certificate will cover the base domain and all subdomains at a single level.
The Common Name (CN) for a Wildcard SSL Certificate must contain exactly one asterisk character, and it must be positioned at the beginning of the domain name. The Certificate Authority (CA) will reject a Certificate Signing Request (CSR) that contains an asterisk in any other position or that contains multiple asterisk characters. Discover Our Wildcard SSL Certificate Options 🔗
Certificate Signing Request (CSR) for Multi-Domain SSL Certificates
When ordering a Multi-Domain SSL Certificate, also known as a Subject Alternative Name (SAN) or Unified Communications Certificate (UCC), the Certificate Signing Request (CSR) should contain the primary domain name in the Common Name (CN) field. Additional domain names to be included on the SSL Certificate are specified separately during the ordering process and are added as Subject Alternative Name (SAN) entries.
Each additional Fully Qualified Domain Name (FQDN) on a Multi-Domain SSL Certificate must be validated individually through the Domain Control Validation (DCV) process. The Trustico® tracking system provides detailed status information for each domain on a Multi-Domain SSL Certificate order. Discover Our Multi-Domain SSL Certificate Options 🔗
About Installation Support and Premium Installation
Due to the large variety of web servers, control panels, and uses for SSL Certificate products, Trustico® does not offer dedicated installation support. However, feel free to contact the Trustico® team via the online e-mail or live chat service and we will attempt to help to the best of our abilities if you are experiencing a technical problem.
Trustico® offers a Premium Installation service where a technician can help generate a Certificate Signing Request (CSR) using your server or device during the installation of the SSL Certificate. The Premium Installation service handles the entire process from Certificate Signing Request (CSR) generation through to complete SSL Certificate installation and configuration. Discover Our Premium Installation Service 🔗
Tip : Generating a unique Certificate Signing Request (CSR) for each new SSL Certificate order is recommended as a best practice. Reusing a Certificate Signing Request (CSR) from a previous order may cause Domain Control Validation (DCV) to fail due to token uniqueness requirements enforced by the Certificate Authority (CA).
Accepted Certificate Signing Request (CSR) Country Codes
Below is a list of ISO 3166 country codes which should be used when generating your Certificate Signing Request (CSR). Please refer to the codes below to ensure you have used the correct two-character country code if you experience problems when submitting your Certificate Signing Request (CSR) to the automated system.
| AFGHANISTAN - AF |
ALBANIA - AL |
| ALGERIA - DZ |
AMERICAN SAMOA - AS |
| ANDORRA - AD |
ANGOLA - AO |
| ANGUILLA - AI |
ANTARCTICA - AQ |
| ANTIGUA AND BARBUDA - AG |
ARGENTINA - AR |
| ARMENIA - AM |
ARUBA - AW |
| AUSTRALIA - AU |
AUSTRIA - AT |
| AZERBAIJAN - AZ |
BAHAMAS - BS |
| BAHRAIN - BH |
BANGLADESH - BD |
| BARBADOS - BB |
BELARUS - BY |
| BELGIUM - BE |
BELIZE - BZ |
| BENIN - BJ |
BERMUDA - BM |
| BHUTAN - BT |
BOLIVIA - BO |
| BOSNIA AND HERZEGOVINA - BA |
BOTSWANA - BW |
| BOUVET ISLAND - BV |
BRAZIL - BR |
| BRITISH INDIAN OCEAN TERRITORY - IO |
BRITISH VIRGIN ISLANDS - VG |
| BRUNEI - BN |
BULGARIA - BG |
| BURKINA FASO - BF |
BURUNDI - BI |
| CAMBODIA - KH |
CAMEROON - CM |
| CANADA - CA |
CAPE VERDE - CV |
| CAYMAN ISLANDS - KY |
CENTRAL AFRICAN REP. - CF |
| CHAD - TD |
CHILE - CL |
| CHINA - CN |
CHRISTMAS ISLAND - CX |
| COCOS ISLANDS - CC |
COLOMBIA - CO |
| COMOROS - KM |
CONGO (DRC) - CD |
| CONGO (REPUBLIC) - CG |
COOK ISLANDS - CK |
| COSTA RICA - CR |
CROATIA - HR |
| CUBA - CU |
CYPRUS - CY |
| CZECH REPUBLIC - CZ |
CZECHOSLOVAKIA - CS |
| DENMARK - DK |
DJIBOUTI - DJ |
| DOMINICA - DM |
DOMINICAN REPUBLIC - DO |
| EAST TIMOR - TP |
ECUADOR - EC |
| EGYPT - EG |
EL SALVADOR - SV |
| ENGLAND - GB |
EQUATORIAL GUINEA - GQ |
| ERITREA - ER |
ESTONIA - EE |
| ETHIOPIA - ET |
FALKLAND ISLANDS - FK |
| FAROE ISLANDS - FO |
FIJI - FJ |
| FINLAND - FI |
FRANCE - FR |
| FRENCH GUIANA - GF |
FRENCH POLYNESIA - PF |
| FRENCH SOUTHERN TERR. - TF |
GABON - GA |
| GAMBIA - GM |
GEORGIA - GE |
| GERMANY - DE |
GHANA - GH |
| GIBRALTAR - GI |
GREECE - GR |
| GREENLAND - GL |
GRENADA - GD |
| GUADELOUPE - GP |
GUAM - GU |
| GUATEMALA - GT |
GUERNSEY - GG |
| GUINEA - GN |
GUINEA-BISSAU - GW |
| GUYANA - GY |
HAITI - HT |
| HEARD AND MCDONALD ISLANDS - HM |
HONDURAS - HN |
| HONG KONG - HK |
HUNGARY - HU |
| ICELAND - IS |
INDIA - IN |
| INDONESIA - ID |
IRAN - IR |
| IRAQ - IQ |
IRELAND - IE |
| ISLE OF MAN - IM |
ISRAEL - IL |
| ITALY - IT |
IVORY COAST - CI |
| JAMAICA - JM |
JAPAN - JP |
| JERSEY - JE |
JORDAN - JO |
| KAZAKHSTAN - KZ |
KENYA - KE |
| KIRIBATI - KI |
KUWAIT - KW |
| KYRGYZSTAN - KG |
LAOS - LA |
| LATVIA - LV |
LEBANON - LB |
| LESOTHO - LS |
LIBERIA - LR |
| LIBYA - LY |
LIECHTENSTEIN - LI |
| LITHUANIA - LT |
LUXEMBOURG - LU |
| MACAU - MO |
MACEDONIA - MK |
| MADAGASCAR - MG |
MALAWI - MW |
| MALAYSIA - MY |
MALDIVES - MV |
| MALI - ML |
MALTA - MT |
| MARSHALL ISLANDS - MH |
MARTINIQUE - MQ |
| MAURITANIA - MR |
MAURITIUS - MU |
| MAYOTTE - YT |
MEXICO - MX |
| MICRONESIA - FM |
MOLDOVA - MD |
| MONACO - MC |
MONGOLIA - MN |
| MONTSERRAT - MS |
MOROCCO - MA |
| MOZAMBIQUE - MZ |
MYANMAR - MM |
| N. MARIANA ISLANDS - MP |
NAMIBIA - NA |
| NAURU - NR |
NEPAL - NP |
| NETHERLANDS - NL |
NETHERLANDS ANTILLES - AN |
| NEUTRAL ZONE - NT |
NEW CALEDONIA - NC |
| NEW ZEALAND - NZ |
NICARAGUA - NI |
| NIGER - NE |
NIGERIA - NG |
| NIUE - NU |
NORFOLK ISLAND - NF |
| NORTH KOREA - KP |
NORWAY - NO |
| OMAN - OM |
PAKISTAN - PK |
| PALAU - PW |
PANAMA - PA |
| PAPUA NEW GUINEA - PG |
PARAGUAY - PY |
| PERU - PE |
PHILIPPINES - PH |
| PITCAIRN - PN |
POLAND - PL |
| PORTUGAL - PT |
PUERTO RICO - PR |
| QATAR - QA |
REUNION - RE |
| ROMANIA - RO |
RUSSIA - RU |
| RWANDA - RW |
S. GEORGIA AND S. SANDWICH ISL. - GS |
| SAMOA - WS |
SAN MARINO - SM |
| SAO TOME AND PRINCIPE - ST |
SAUDI ARABIA - SA |
| SENEGAL - SN |
SEYCHELLES - SC |
| SIERRA LEONE - SL |
SINGAPORE - SG |
| SLOVAKIA - SK |
SLOVENIA - SI |
| SOLOMON ISLANDS - SB |
SOMALIA - SO |
| SOUTH AFRICA - ZA |
SOUTH KOREA - KR |
| SPAIN - ES |
SRI LANKA - LK |
| ST. HELENA - SH |
ST. KITTS AND NEVIS - KN |
| ST. LUCIA - LC |
ST. PIERRE AND MIQUELON - PM |
| ST. VINCENT AND THE GRENADINES - VC |
SUDAN - SD |
| SURINAME - SR |
SVALBARD AND JAN MAYEN - SJ |
| SWAZILAND - SZ |
SWEDEN - SE |
| SWITZERLAND - CH |
SYRIA - SY |
| TAIWAN - TW |
TAJIKISTAN - TJ |
| TANZANIA - TZ |
THAILAND - TH |
| TOGO - TG |
TOKELAU - TK |
| TONGA - TO |
TRINIDAD AND TOBAGO - TT |
| TUNISIA - TN |
TURKEY - TR |
| TURKMENISTAN - TM |
TURKS AND CAICOS - TC |
| TUVALU - TV |
U.S. MINOR OUTLYING ISL. - UM |
| U.S. VIRGIN ISLANDS - VI |
UAE - AE |
| UGANDA - UG |
UKRAINE - UA |
| UNITED STATES - US |
URUGUAY - UY |
| USSR - SU |
UZBEKISTAN - UZ |
| VANUATU - VU |
VATICAN CITY STATE - VA |
| VENEZUELA - VE |
VIET NAM - VN |
| WALLIS AND FUTUNA - WF |
WESTERN SAHARA - EH |
| YEMEN - YE |
YUGOSLAVIA - YU |
| ZAIRE - ZR |
ZAMBIA - ZM |
| ZIMBABWE - ZW |
|
