A Certificate Signing Request (CSR) file is something you generate and provide to a certificate authority, which in turn signs and sends the requested SSL certificate that was used to enable HTTPS on your web server.
What is a CSR file?
CSR files contain information about your organization and the type of certificate you are requesting. They are usually generated automatically using a tool like OpenSSL. If you use LetsEncrypt, CSR file creation is created entirely by certbot for you.
CSR files contain the following information:
- Common Name (CN) – Your server’s hostname. the must matches exactly, your users will see an error page in their browser that says the certificate is unreliable. You can use wildcards (e.g.
*.domain.com) to request a wildcard certificate that applies to all subdomains. A wildcard like this applies
www, but if you want to protect your root domain and all subdomains, you need two separate certificates. Common name is the only field that is technically required, so you can leave everything else blank if you want. But it̵7;s good to fill in the others.
- Organization (O) – The full legal name of your company, including any suffixes such as LLC. If you request an EV or OV certificate (which is completely pointless) it must be validated. For a normal SSL, however, you can set anything, as it is not controlled and is not even required.
- Organizational unit (OU) – The department for your company that handles the certificate.
- Country (C) – the two-letter country code of the country you are in.
- State / County / Region (S) – Full name of the state you are in.
- City / Locality (L) – The full name of the city you are in.
- Email Address – Your organization’s email address.
- The RSA key is used
The only thing that affects how your CSR file is processed is your common name. The domain name must be validated to prevent you from registering someone else’s domain; You will receive a challenge from the Certificate Authority later in the process of proving that you own the domain, but the CSR file has no effect on it.
The CSR file itself is in PEM format and is a large piece of coded data base64:
-----BEGIN CERTIFICATE REQUEST----- MIICYDCCAUgCAFAwGzEZMBcGA1UEAwwQKi5wcm92aWRlbmNlLnBlbTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALA3vPkQJejmFk20mZT/J2995ibnz9MV 2hd+ltxX0gS9/rDZgGZA8nyPojpXVJbLxJ5PuSqmyZrDA2F3YvCwy13b7QZT/f56 mH3103cVaefhfy+Lc7JSJZtJkw6mVBz9Vz+cpmc3hm0DV3tIZW4L8DKYVQoWl3Ed N0nsHykoI02ZoVdDL+AZU6sNJ2LV9j0LuS2YZkGU7PHsij2W2zROtyL7HdnZp5m6 6e8e6ro9uBoCHBVSEeCDgBHLVQ92IRzPTzpSDr7dYhA2YHPbrjt6T63IgwiR4CU0 2Iq282KasNw1jkyIil9/5GPsqHH5Fw0Le/7Goqrk2Ez3zHwu7pv88AkCAwEAAaAA MA0GCSqGSIb3DQEBCwUAA4IBAQADq9KOCkyLNA7t6RDPatw006CR8zETGqlfnQ2h jxjDZlBWZbAVg6ftEMawxuKRbfw1bmJn53QSMpeX5HiMQLHliw3vsoIsRMPbwdxr j2ydJhYO95ktk4JRvD3/YR8hRYrGD4EYlsC+u1RwWTXXZ9ZjTvDtf4LZccKAysOW vM88R3pWCpDzTg4KWDw1jsq7Y9ISTYuBkd7d+d7GvK/VxITx8kSAgJRGkd54nlet pZdBwdY95Jg0AyecAE5GSNPiHmRTkm/rTXIPOyGY1kO9Mk/c+q+ZTEhH53v5bzUw yrLZuJkNL3KiNbZIWvQ3ljHNeM3+9437n4W3nDTcGL2Bi41n -----END CERTIFICATE REQUEST-----
However, you do not want to edit it manually; instead, you can use a tool like OpenSSL to generate it on your server.
How to create a CSR file
If your server is running Linux, you probably already have OpenSSL installed if you have Apache or Ubuntu installed. If not, you can install it from your district’s package manager:
sudo apt-get install openssl
Then run the following command to start the CSR creation wizard:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
This will generate a new private key to be used during the process and save it to
server.key. Then you will be asked for your info; You can leave most of it blank if you want, but make sure the common name is correct.
Your signing request is saved to
server.csr. Your public key is included in this request, but you want to save the private key for future renewals.
You must then provide your certificate authority with the CSR file to proceed with the creation of the SSL certificate. If you use certbot, this is handled automatically and you do not have to worry about CSR files at all.