CSR (Certificate Signing Request)

What is a CSR (Certificate Signing Request)?

A CSR (Certificate Signing Request) is a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA). The CSR validates the information the CA requires to issue a certificate.

In a public key infrastructure (PKI) system, which enables secure data sharing among validated parties on the internet, a CSR must be created before ordering and purchasing an SSL certificate.

How does the CSR process work?

Applicants must first generate a key pair -- a private key, which is used to decrypt ciphertext and create digital signatures, and a public key to encrypt plaintext and verify digital certificates. Note that both the key pair and CSR must be created on the server on which the SSL certificate is used; this is imperative to ensure the integrity of the key pair and PKI in general.

After the key pair is prepared, the CSR can be generated. Upon collecting all the necessary CSR data, the CA uses this data to build the certificate.

How is a CSR generated?

How a CSR is generated depends on the web server software used. Once the CSR is generated, it can be submitted to the CA. If the request is successfully validated, the CA issues the SSL certificate.

What data is included in a CSR?

The following information must be included in a CSR.

Information Description Example
Common name (CN) The fully qualified domain name of your server, *
Business name/organization (O) The legal name of your organization My Company, Inc.; My Company, Corp.
Department/organization name (OU) The division of your organization handling the certificate IT, Finance
City/town (L) The city where your organization is located Boston, London
State/county/region (S) The state/county/region where your organization is located (do not abbreviate) Massachusetts, Worcestershire
Country (C) The two-letter ISO code of where your organization is located US, GB
Email address An email address to contact your organization [email protected][email protected]
*When generating a CSR for a wildcard certificate, the common name should start with an * -- e.g., *

This was last updated in March 2023

Continue Reading About CSR (Certificate Signing Request)

Dig Deeper on Identity and access management

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing