What is a Certificate Signing Request (CSR)?

  • Home
  • Blog
  • PKI
  • What is a Certificate Signing Request (CSR)?

In the world of digital security, a certificate signing request (CSR) is a vital part of securing web traffic. If you want to set up a website or online service, you’ll need to generate a CSR and submit it to a Certificate Authority (CA). This article will explain what a CSR is, what information it contains, and how to generate one.

What is a CSR?

A certificate signing request (CSR) is an encoded file containing information about your website, service, organization, and domain name. This information is used by a Certificate Authority (CA) to create an SSL/TLS certificate for your website to encrypt traffic to your site. A certificate CSR also contains your public key and signature, which helps to verify your identity and secure communications to your site.

Creating an SSL/TLS certificate

An SSL/TLS certificate is a way to keep your website traffic secure. This is done by encrypting the information sent to and from your website with a unique code. To get an SSL certificate, you must create a Certificate Signing Request (CSR).

How it works:

Creating an SSL/TLS certificate with a CSR is a two-step process:

  1. Generate a private key and public key pair. This can be done using a variety of tools, such as OpenSSL.
  2. Create a CSR using the private key. This step will generate a CSR file, which you must submit to a CA.

What information does a CSR contain?

A CSR contains a detailed list of information, but the most important pieces are:

Information about your business so the CA can verify your identity and business. The CSR should include information about your business, public key, and the key type and length.

Information about your business

A CSR certificate should include all of the information related to your business, like name, city, state, and country. Your email address, domain name, and any other domain names you want to secure with an SSL/TLS certificate. It is imperative to have this information correct because it will be used to verify your identity when creating the certificate.

Public key

A public key is a mathematical value that is used to encrypt data. The CSR contains your public key, which the CA uses to create your certificate and verify the signature on your CSR.

Public keys are generated using a cryptographic algorithm, such as RSA. RSA is a popular algorithm used to create public and private keys. The length of the key, measured in bits, determines the strength of the encryption. A longer key is more secure than a shorter key. RSA uses two large prime numbers: p and q. RSA 2048 is the most common key length, but you can also choose RSA 3072, 4096, or 7168.

Key type and length

The CSR should also include the type of key you are using (RSA or DSA) and the length of the key. The most common key sizes are 2048-bit and 4096-bit.

What does a certificate signing request look like?

A CSR is typically encoded using Base-64, a standard format for representing binary data in ASCII text. The base-64 encoded CSR will look like a long string of random characters.

What is Base-64?

Base-64 is a standard encoding format used to represent binary data in ASCII text. This format helps to convert binary data into a readable format that can be easily transmitted over the internet. When creating a CSR, you will need to encode it using Base-64 so the CA can process it.

What is ASCII?

ASCII (American Standard Code for Information Interchange) is a standard character encoding system used in the digital world. It assigns a unique number to every character in the alphabet.

What does a CSR request code look like?

Below is an example from Wikipedia of what CSR certificates look like:

Certificate Signing Request (CSR)

How to create a CSR

There are a few steps involved in generating a CSR. First, you will need to develop a private key. In simple terms, a private key is a secret code used to encrypt information. This key should be kept safe, as it can be used to decrypt traffic to your website.

Creating a private key

A public key is mathematically derived from a private key. Together, these are referred to as a “key pair.” Private keys can be used to decrypt data that was encrypted by the corresponding public key, and public keys can be used to verify digital signatures created by the corresponding private key.

Many web servers and runtime environments, such as Internet Information Services (IIS), have CSR generation capabilities built in. Another way to generate a private key is to use the OpenSSL command line tool. This will generate a private key file called that is 2048 bits long. 

Generating a CSR

Once you have generated a private key, you can use it to create a CSR file. This file will contain the above information and is typically encoded using Base-64. The CSR file can also be generated using the OpenSSL command line tool.

Submitting to a CA

Once you have generated a CSR, you must submit it to a Certificate Authority (CA). The CA will use the information in the CSR request to create an SSL/TLS certificate for your website.

Installing the certificate CSR

Once you have received your SSL/TLS certificate from the CA, you will need to install it on your server. The installation process varies depending on the server type and the software you use. However, most servers use a similar process for installing SSL/TLS certificates.

You’ll need to copy the certificate files (the .crt and .key files) to the server. Next, you will need to configure the server to use the SSL/TLS certificate. This process will vary depending on the server software you are using but typically involves adding the certificate files to a configuration file and restarting the server.

Final thoughts

CSR files are essential to setting up SSL/TLS certificates for your website. They contain information used to generate the certificate and must be submitted to a CA to obtain a certificate. Once you have a certificate, you must install it on your server.

The process of requesting, issuing, renewing, and installing certificates is often manual and burdensome, resulting in human error and outages. Keyfactor EJBCA Enterprise and Keyfactor Command help simplify and automate the entire lifecycle of certificates, from issuance to renewal. This allows you to focus on priorities, and eliminate hours of tedious and time-consuming tasks related to certificate management.

See it in action in our demo center or request a demo to learn more today.

Ryan Sanders

Senior Product Marketing Manager

The 2022 State of Machine Identity Management Report

Get actionable insights from 1,200+ IT and security professionals on the next frontier for IAM strategy — machine identities.

Read the Report →