Skip to content

Certificate Signing Request (CSR)

A Certificate Signing Request (CSR) is a message file sent to a Certificate Authority (CA) to apply for a Digital Certificate, most commonly an SSL/TLS certificate^[600-developer-tools-security-security-file-extension-name.md]. It acts as the formal first step in the certificate application process, containing the specific information required by a vendor to generate and issue the final certificate^[600-developer-tools-security-security-file-extension-name.md].

Content and Structure

The CSR file contains standardized fields that identify the entity requesting the certificate^[600-developer-tools-security-security-file-extension-name.md]. These fields, often encoded in formats like PEM (Base64 ASCII), include the following Distinguished Name (DN) attributes and specifications:

  • Common Name (CN): The domain name to be protected (e.g., www.example.com or *.domain.com for wildcard domains)^[600-developer-tools-security-security-file-extension-name.md].
  • Organization (O): The legally registered name of the organization^[600-developer-tools-security-security-file-extension-name.md].
  • Organizational Unit (OU): The specific department within the company; if omitted, this may default to the Common Name^[600-developer-tools-security-security-file-extension-name.md].
  • Locality (L): The city where the organization is located^[600-developer-tools-security-security-file-extension-name.md].
  • State/Province (ST): The state or region where the organization is located^[600-developer-tools-security-security-file-extension-name.md].
  • Country (C): The country code where the organization is located^[600-developer-tools-security-security-file-extension-name.md].
  • Key Size: The cryptographic algorithm and key length (e.g., RSA 2048)^[600-developer-tools-security-security-file-extension-name.md].

Key Pair and Workflow

During the CSR generation process, a cryptographic key pair is created^[600-developer-tools-security-security-file-extension-name.md]. The resulting two components serve distinct purposes:

  • Private Key: This file is generated locally and must be kept secure and secret by the requester^[600-developer-tools-security-security-file-extension-name.md].
  • CSR File: This file is provided to the CA (the certificate vendor) to facilitate the creation of the signed certificate^[600-developer-tools-security-security-file-extension-name.md].

Once the CA receives the CSR, they use their own CA key pair to sign and issue the server certificate^[600-developer-tools-security-security-file-extension-name.md].

Generation

CSRs are typically generated using command-line tools such as OpenSSL^[600-developer-tools-security-security-file-extension-name.md]. A typical command creates a new request and a new private key simultaneously.

Example using OpenSSL: 

[OpenSSL](<./openssl.md>) req -new -newkey rsa:2048 -nodes -out xxxx.csr -keyout xxxx.key -subj "/C=tw/ST=xxxx/L=xxxx/O=xxxx/OU=xxxx/CN=xxx.xxx.xxx"
^[600-developer-tools-security-security-file-extension-name.md]

  • SSL/TLS
  • [[Public Key Infrastructure]]
  • [[Certificate Authority]]
  • [[PEM Format]]
  • [[PKCS#12]]

Sources

^[600-developer-tools-security-security-file-extension-name.md]