CSR - Certificate Signing Request

Generate a correct CSR to obtain your SSL certificate.

The CSR (Certificate Signing Request) is the first step to obtain an SSL certificate. It's an encoded file containing your public key and information about your organization/domain.

A poorly generated CSR can result in rejection by the certificate authority or compatibility issues. Understanding the process is essential.

This guide covers CSR generation for different servers and common mistakes to avoid.

Anatomy of a CSR

A CSR contains several important pieces of information:

  • Common Name (CN): the exact domain name to secure (e.g., www.example.com).
  • Organization (O): your organization's legal name (required for OV/EV).
  • Public key: the public part of your RSA or ECDSA key pair.
  • SAN: Subject Alternative Names for additional domains.

Importance of a Correct CSR

Why take the time to generate your CSR properly:

  • Smooth validation: a correct CSR speeds up the CA validation process.
  • Optimal security: RSA 2048+ bits or ECDSA key ensures adequate security.
  • Compatibility: proper parameters ensure compatibility with all clients.
  • Multi-domain: correctly configured SANs cover all your domains.

Generate a CSR

Generation process with OpenSSL:

  1. Generate private key: create a 2048 or 4096 bit RSA key.
  2. Create the CSR: use openssl req with the private key.
  3. Verify the CSR: ensure all information is correct.
  4. Submit to CA: copy the CSR content into the order form.

Generation Commands

Complete CSR generation:

# Generate private key and CSR in one command
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out domain.csr

# With SAN (multi-domain)
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out domain.csr \
  -subj "/CN=example.com/O=My Company/C=US" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

# Verify CSR content
openssl req -text -noout -verify -in domain.csr

The private key must be kept secret and secure. Never share it.

CSR Best Practices

Tips for flawless CSRs:

  • RSA 2048+ bits key: minimum 2048 bits, 4096 for enhanced security.
  • New key at each renewal: always generate a new key pair to limit exposure.
  • Include SANs: add www and non-www, plus any required subdomains.
  • Protect private key: restrictive permissions (chmod 400) and secure storage.

CSR Checklist

  • Private key generated (2048+ bits)
  • Correct Common Name
  • SANs included if needed
  • Exact organization (for OV/EV)
  • CSR verified with openssl
  • Private key secured

Frequently Asked Questions

RSA or ECDSA?

RSA 2048 is most compatible. ECDSA is more performant but less supported by old clients.

Do I need to fill all fields?

CN is mandatory. O, C, L, ST are required for OV/EV but optional for DV.

What if I lose the private key?

You'll need to revoke the certificate and order a new one with a new CSR.

Can I reuse a CSR?

Technically yes, but it's not recommended. A new key pair is more secure.

How to add multiple domains?

Use the SAN (Subject Alternative Names) extension during generation.

Does the CSR contain my private key?

No, the CSR only contains the public key. The private key stays on your server.

CSR: Your Certificate Foundation

A well-generated CSR is the foundation of a secure SSL certificate. Take the time to verify each field.

With MoniTao, then monitor your certificate to never miss its expiration.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing