What is a Certificate Signing Request (CSR)?
After purchasing SSL, one of the first steps in the process is to submit a Certificate Signing Request (CSR). The CSR is like the blueprint for an SSL. It contains basic information for the SSL you are requesting such as the domain(s) submitted with the order.
NOTES
If you are using our hosting solutions and have purchase SSL, this process should be automated
The two exceptions to this are:
You have purchased a Premium EV SSL with us
You have purchased an SSL certificate with another vendor
If you still need to generate an SSL certificate and have our hosting, look at this Knowledgebase Article for generating your CSR
CSR Overview
Before you can generate your SSL Certificate, the certificate requester must create a Certificate Signing Request (CSR) for a domain name or hostname on your web server. The CSR is a standardized way to send the issuing Certificate Authority (CA), Sectigo, your public key, which is paired with a secret private key on the server and provides relevant information about the requester.
Common Name (CN) | This is the Fully Qualified Domain Name (FQDN) of your server (i.e. www.domain.com). This must match exactly what you type in your web browser or you may receive a security error. |
|---|---|
Organization Name (O) | The legal name of your company/organization (i.e. Google, Inc.). Do not abbreviate your company name and it should include the corporate identifier such as Inc., Corp, or LLC (if applicable). For DV orders, you can use your personal name (i.e. John Doe). |
Organization Unit (OU) | The unit or division of the company/organization managing the certificate (i.e. IT Department). |
Locality (L) | The city that you are located in (i.e. Mountain View) |
State or Province Name (ST) | The state or province in which you are located in (i.e. California) |
Country (C) | The country in which you are located in (i.e. United States or US) |
Email Address | An email address associated with the company (i.e. webmaster@google.com) |
Root Length | The bit-length of the key pair determines the strength of the key and how easily it can be cracked using brute force methods. 2048-bit key size is the new industry standard and is used to ensure security well into the foreseeable future. |
Signature Algorithm | The hashing algorithm is used by issuing Certificate Authorities to actually sign certificates and CRLs (Certificate Revocation List) to generate unique hash values from files. It is highly recommended that your certificate is signed with SHA-2 as this is the strongest signature algorithm adopted by the industry. |
As mentioned above, in addition to creating a CSR, the web server will also export another file called a private key. The private key is a unique cryptographic key related to the corresponding CSR and should never be shared with anyone outside your secured server environment. The private key is mathematically used to decrypt whatever sensitive data that’s transmitted & encrypted with its corresponding public key and vice versa. If the private key is lost or compromised, malicious users could potentially read your encrypted communications and put your organization’s reputation at risk, which defeats the entire methodology behind the Public Key Infrastructure (PKI). If the private key is lost or compromised, we highly recommend creating a new key pair and replacing or reissuing your SSL Certificate.
Example CSR
Most CSRs are created in the Base-64 encoded PEM format and include the “—–BEGIN CERTIFICATE REQUEST—–“and “—–END CERTIFICATE REQUEST—–“ lines as the header and footer tags of the CSR. A standard PEM format CSR will look like the following example:
-----BEGIN CERTIFICATE REQUEST-----
MIIDGDCCAgACAQAwgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRYwFAYDVQQKEw1Hb29nbGUsIEluYy4g
MRcwFQYDVQQLEw5JVCBEZXB0YXJ0bWVudDEXMBUGA1UEAxMOd3d3Lmdvb2dsZS5j
b20xIzAhBgkqhkiG9w0BCQEWFHdlYm1hc3RlckBnb29nbGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3NT5DBBDql5gTB4/6Zsq/C1iwO4yBD2
nThaNfO1qHKUjnFz0oua+54x97TjmHItRH5H+jPJvmzzb4TUJ274CRFhquOOMZVM
dVIG9FUjogJstMqv4GtBC4C/ype0ilAcPEBjRi9bFiR/g43qPCnlRAJNo4cJko7n
W7erAJsRPNiQMr5UJN9h3GuQMPw6uaI/0OWuWjSTLzEBMujHhPySgZIv1SurVXDz
iFC6S6qvc9XQ1z6tkmrttdoOfDI+eT75QxysHmctgAvkZaFEoRASqcqf3iYyl9Qw
mh0xuLSoR9HTvaD9DhxAIa4/1+l6D9MGb/01+lip7AjqdnTTzSBfcQIDAQABoCkw
JwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG
9w0BAQsFAAOCAQEAZyMkFtElkS3vQoCPVHevrFcPgrx/Fqx0UdQdnf2RyoJ3jqiU
yPo5+5BHA9kY0TuJLhgMIq0QWAbzZYNL0+J8UUcx8EvMK6DqPpKteyYFCMw6GEzu
diq4RE/8Ea9UpGbw8GH1oEsUksBTwrs06OSOVgDXkJ1XY4VaRkMPflgQWGULgKYO
2P/zcFowENruGLJO7ynyUkm5idKdYzDqk7c7bqyLywOEPxSRKVyblmzqiFCOlCqp
HozZ9+5TmrMPD/hO1uHVECcL08RMGXoGMajojI8CE+cmkaWLq3PZt08Sv0F/Itop
O8XAZ2bYTK4HQfPm+Fud22SD+DkSwt8vN8Lu2g==
-----END CERTIFICATE REQUEST-----When generating your CSR and private key, please reference our easy-to-read instructions for your specific server environment.