A Certificate Signing Request or CSR is a specially formatted underdeveloped public key that is used for enrollment of an SSL Certificate. The information on this CSR is important for a Certificate Authority (CA). It is needed to validate the information required to issue a SSL Certificate.
Creation of a CSR also means you are creating your private key. The private key will always be left on the system or application where the CSR is generated. The Private key will be required later for installation.
If you do not see your server listed Perform a search or you may have to contact your server vender or hosting provider for best practices on how to generate a CSR on your system.
A CSR must contain the Following information:
- Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Massachusetts
- Locality or City: The Locality field is the city or town name, for example: Boston. Do not abbreviate. For example: Saint Louis, not St. Louis
- Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit: The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
- Common Name: The fully-qualified domain name, or URL, you’re securing. for example “www.domain.com”. If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.domain.com.
Note: You might be prompted on some server systems or applications to associate a password for your CSR. Leave this blank or bypass it by pressing Enter depending on the system. Associating a password with your CSR will encrypt it and will cause issues with enrollment. If this happens you will have to regenerate another CSR without a password.
If you are looking for a simpler way to create CSRs, and install and manage your SSL Certificates, we recommend using the DigiCert Certificate Utility for Windows. You can use the DigiCert Utility to generate your CSR and Configure your SSL Certificate Keypair. You can then export your SSL Certificate from the utility in either a pfx for pem Apache applicable format and import it into the systems that require your SSL Certificate.
To check the information of your CSR visit the SSL Tools CSR Checker.
Instructions for server vendors:
Microsoft Server 2003 – IIS 6
Microsoft Server 2008 – IIS 7 & 7.5
Microsoft Server 2012 – IIS 8 & 8.5