How to generate a Certificate Signing Request (CSR)

Before requesting a certificate from us, you’ll need to generate a Certificate Signing Request.

Generally you should always create the CSR on the server or device on which you will install the SSL certificate. Please refer to the help documentation for your server or device for specific instructions on how to carry out the CSR process. The following notes cover key concepts:

Private Key

Generating a CSR creates a private key which is uniquely related to the corresponding CSR. This should be kept strictly private and never shared publicly. If the private key is lost or compromised, malicious actors could intercept the otherwise secure communications, undermining the principles and security of the system, and ultimately likely to put your organisation’s reputation at risk. If the private key is lost or stolen, we strongly recommend creating a new CSR and replacing or reissuing your SSL Certificate.

Example CSR

The below is an example of a Base-64 encoded PEM formatted CSR which is the most common form of CSR.

-----BEGIN CERTIFICATE REQUEST----- MIIC5DCCAcwCAQAwgZ4xCzAJBgNVBAYTAkdCMRQwEgYDVQQIEwtFYXN0IFN1c3Nl eDERMA8GA1UEBxMIQnJpZ2h0b24xFDASBgNVBAoTC0V4YW1wbGUgTHRkMRAwDgYD VQQLEwdJVCBEZXB0MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20xJDAiBgkqhkiG 9w0BCQEWFXlvdXJlbWFpbEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAMNeXZBrQAFJAlhvMai6VSswcZQ0uN1WRY2gvnxBTbb2/cCD rrR3t9XwRsaRuBUrRJmI+KRTVycj67nSBpk5JBpPPfxDqbpVtJS48IUTAJiKkxP/ ctYMJ4luUVOl/cH9NqM8mypnQjUXFLJd5Z07NygjGIuhRpVCEWRkLrFsn2ZKsFWs mvNTGjEw3ZD1TgQDTg1dLtNsZqdmZVCsxOTu50QYluBqrSRCDPmRW2kTh7VyYt3N oWZ8P+g2d9On2KWUd/xRLEYO7ismPfl7JqpE25xBsVlyyr7v5HeeCLliXHOpJ9rz pd7hZu5I3D7NQgwD891Cdhc7qY4zYDBGng8j48ECAwEAAaAAMA0GCSqGSIb3DQEB CwUAA4IBAQBHY0YnjuxXzfgDnslo9WsNoY+sXGI0yhb/hecg6vAyg+OOIi+lxMCt pD85PpIAknmkZxYkFDLazVPi4LA8FpVf8X+wW7m4Wkg+k22IpMxlvFpYWwyTFCY1 w8skgucgqiAdU13Z0Rng5qZAIzoHLyhdXPivHDY8loZHuOrVbyEmvFijVx9QmkZn TekzAX2QGM5gvpaWqWV+payd9ExnWzlZgpJ5UkZdFRX0dqQXwBNj+Y5teCty+cKD VC7FPSsjRvScc2jW7rkCo27H3LMkwzBl/UXr7FvcilqNb8vxHQFdHELdN+BKRJVq o45vFTvyB+ZaJ4hGnLV8se5T3KhnS4rs -----END CERTIFICATE REQUEST-----

Common Name (CN)

This is the Fully Qualified Domain Name (FQDN) you want to secure with your certificate. This must match exactly what visitors to your website will type into their web browser:

  • An SSL certificate issued for the Common Name www.example.com won’t work if someone visits secure.example.com. To protect secure.example.com, enter “secure.example.com” in the Common Name field when you create your CSR.
  • For wildcard certificates, you must add an asterisk (*) to the left of the Common Name – for example *.example.com or *.secure.example.com).

Organization Name (O)

The full, unabbreviated legal name of your organisation including any entity type identifier such as Inc, Ltd, PLC, LLC, GmbH etc. as applicable. If you are ordering a personal certificate or are a Sole Trader, enter your full personal name (e.g. John Smith) and in the Organisation Unit field, enter your Trading As name, if applicable (e.g. JS Construction).

Organization Unit (OU)

Enter the division such as “Marketing” or “Manufacturing”.

Locality/City (L)

The full, unabbreviated name of the Town/City in which your organisation is located (e.g. Brighton)

State or Province Name (ST)

The full, unabbreviated name of the County/State/Province in which your organisation is located (e.g. East Sussex)

Country Name (C)

The ISO two letter country code for the country in which your organisation is legally registered (e.g. GB). List of ISO country codes.

Email Address

A valid email address associated with your organisation (i.e. webmaster@example.com)

Bit or Root Length

The bit-length determines the strength of your private key and how easily it would be cracked using brute force methods. Selecting at least 2048 is the industry standard. Most certificate authorities allow a higher bit-length such as 4096.

Signature / Hash Algorithm

Use SHA-256 as the hashing algorithm.

Related Articles: