A certificate signing request file (CSR) it is something that you generate and submit to a certificate authority, who in turn signs and sends you the requested SSL certificate that was used to enable HTTPS on your web server.
What constitutes a CSR file?
CSR files contain information about your organization and the type of certificate you are requesting. In general, are generated automatically with the help of a utility like OpenSSL. If you are using LetsEncrypt, certbot manages the creation of CSR files for you.
CSR files contain the following information:
- Common name (CN): the hostname of your server. That has to match exactly, or your users will see an error page in their browser saying the certificate is not trusted. You can use wildcards (p. Not.,
*.domain.com) to request a wildcard certificate that applies to all subdomains. A wildcard like this applies towww, but if you want to protect your root domain and all subdomains, you will need two separate certificates. The common name is the only field that is technically required, so you can leave everything else blank if you want. Despite this, it is good to complete the others. - Organization (O): the full legal name of your company, including suffixes, as LLC. If you are requesting an EV or OV certificate (which are completely useless), must be validated. Despite this, for a normal SSL, can put whatever, since it is not checked and it is not even required.
- Organizational unit (WHERE): the division of your company that manages the certificate.
- Country (C): the two letter code of the country you are in.
- State / county / region (S): the full name of the state you are in.
- Town / location (L): the full name of the city you are in.
- Email address: your organization's email address.
- The RSA public key used
The only one that affects the way your CSR file is processed is its common name. The domain name will need to be validated to prevent you from registering someone else's domain; Later in the procedure, the certificate authority will send you a challenge to prove that you are the domain owner, but the CSR file has no effect on that.
RELATED: What is a PEM file and how is it used?
The actual CSR file itself is in PEM format and is a large chunk of base64 encoded data:
-----BEGIN CERTIFICATE REQUEST-----
MIICYDCCAUgCAFAwGzEZMBcGA1UEAwwQKi5wcm92aWRlbmNlLnBlbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALA3vPkQJejmFk20mZT/J2995ibnz9MV
2hd+ltxX0gS9/rDZgGZA8nyPojpXVJbLxJ5PuSqmyZrDA2F3YvCwy13b7QZT/f56
mH3103cVaefhfy+Lc7JSJZtJkw6mVBz9Vz+cpmc3hm0DV3tIZW4L8DKYVQoWl3Ed
N0nsHykoI02ZoVdDL+AZU6sNJ2LV9j0LuS2YZkGU7PHsij2W2zROtyL7HdnZp5m6
6e8e6ro9uBoCHBVSEeCDgBHLVQ92IRzPTzpSDr7dYhA2YHPbrjt6T63IgwiR4CU0
2Iq282KasNw1jkyIil9/5GPsqHH5Fw0Le/7Goqrk2Ez3zHwu7pv88AkCAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQADq9KOCkyLNA7t6RDPatw006CR8zETGqlfnQ2h
jxjDZlBWZbAVg6ftEMawxuKRbfw1bmJn53QSMpeX5HiMQLHliw3vsoIsRMPbwdxr
j2ydJhYO95ktk4JRvD3/YR8hRYrGD4EYlsC+u1RwWTXXZ9ZjTvDtf4LZccKAysOW
vM88R3pWCpDzTg4KWDw1jsq7Y9ISTYuBkd7d+d7GvK/VxITx8kSAgJRGkd54nlet
pZdBwdY95Jg0AyecAE5GSNPiHmRTkm/rTXIPOyGY1kO9Mk/c+q+ZTEhH53v5bzUw
yrLZuJkNL3KiNbZIWvQ3ljHNeM3+9437n4W3nDTcGL2Bi41n
-----END CERTIFICATE REQUEST-----
Despite this, you don't want to edit this manually; instead, you can use a tool like OpenSSL to generate it on your server.
How to create a CSR file
If your server runs Linux, you probably already have OpenSSL installed if you have installed Apache or Ubuntu. If that is not the case, you can install it from your distribution's package manager:
sudo apt-get install openssl
After, run the following command to start the CSR creation wizard:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
This will generate a new private key to use throughout the procedure and save it in server.key. Then you will be asked for your information; you can leave most of it blank if you like, but make sure the common name is correct.
Your signature request will be saved in server.csr. Your public key is included in this request, but you will want to save the private key for future renewals.
After, you will need to provide your certificate authority with the CSR file to continue with the SSL certificate creation procedure. If you are using certbot, this is handled automatically and you won't have to worry about CSR files at all.
