What is a CSR – An understanding into the basics of CSRs
The following case is a classic example of how little things matter.
Generating a CSR or a Certificate Signing Request is a mandatory aspect in the process of obtaining an SSL Certificate. Even though it might be little, this encoded text file has the authority to make your SSL Certificate null and void.
But first, let’s discuss, what a CSR is and how is one generated?
In simple terms, a CSR or Certificate Signing Request is a small file that contains information regarding the organization that has applied for an SSL certificate. It is recommended that the customer generates the CSR before ordering the SSL certificate, as once generated, the respective CA or Certification Authority uses the CSR to issue a new SSL server certificate.
It is a fundamental requirement in order to activate the SSL certificate and can be generated only on the server where the certificate is meant to be installed.
Usually, the private key is generated alongside the CSR. The RSA, on the other hand is a cryptosystem. The key can be an RSA key, which means, that it’s at least 2,048-bits and uses prime factorization as its method of encryption. However, this is just one type of private key. Others include an Elliptic Curve Cryptography, which plots points on an ellipsis and can be used just like the RSA. Elliptic Curve Cryptography or ECC keys are generally smaller (224-bit or bigger). Studies suggest that the ECC will most likely replace RSA in the next three to five years. The CSR code also additionally contains a public key which is later embedded into the SSL Certificate. Its better half – the Private Key, as the name suggests, is supposed to be kept confidentially with the organization themselves. The CSR provides essential information such as:
- CSR Common Name (CN): A Fully Qualified Domain Name (FQDN) of your website.
- Organization Name (O): The legal company name. Abbreviations are not allowed.
- Organization Unit (OU): The unit of the company responsible for the management of the certificate.
- Locality (L): The legal location of the company.
- State or Province Name (ST): The legal State or Province, of the company.
- Country (C): The legal Country the company is located.
- Email Address: An official email address associated with the company
The CSR or Private Key’s bit length for SSL Certificate Request
According to the Certificate Authority Browser (CAB) Forum, it is mandatory for all SSL Certificated issued after the 1st of January 2014 to use at least 2048-bit RSA keys. SSL Certificates that use 1024-bit RSA keys will no longer be considered secure, and certificates with 4096-bit RSA keys will be supported.
The Basic CSR or Certificate Signing Request Format
A Certificate Signing Request Code is created in a Base-64 Coded PEM Format, which can be accessed by using a text editor wherein the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– tags have to be mentioned.
Here’s a certificate signing request example below:
—–BEGIN CERTIFICATE REQUEST—–
MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAkVOMQ0wCwYDVQQIDARub25lMQ0wCwYD
VQQHDARub25lMRIwEAYDVQQKDAlXaWtpcGVkaWExDTALBgNVBAsMBG5vbmUxGDAW
BgNVBAMMDyoud2lraXBlZGlhLm9yZzEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25l
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP/U8RlcCD6E8AL
PT8LLUR9ygyygPCaSmIEC8zXGJung3ykElXFRz/Jc/bu0hxCxi2YDz5IjxBBOpB/
kieG83HsSmZZtR+drZIQ6vOsr/ucvpnB9z4XzKuabNGZ5ZiTSQ9L7Mx8FzvUTq5y
/ArIuM+FBeuno/IV8zvwAe/VRa8i0QjFXT9vBBp35aeatdnJ2ds50yKCsHHcjvtr
9/8zPVqqmhl2XFS3Qdqlsprzbgksom67OobJGjaV+fNHNQ0o/rzP//Pl3i7vvaEG
7Ff8tQhEwR9nJUR1T6Z7ln7S6cOr23YozgWVkEJ/dSr6LAopb+cZ88FzW5NszU6i
57HhA7ECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBn8OCVOIx+n0AS6WbEmYDR
SspR9xOCoOwYfamB+2Bpmt82R01zJ/kaqzUtZUjaGvQvAaz5lUwoMdaO0X7I5Xfl
sllMFDaYoGD4Rru4s8gz2qG/QHWA8uPXzJVAj6X0olbIdLTEqTKsnBj4Zr1AJCNy
/YcG4ouLJr140o26MhwBpoCRpPjAgdYMH60BYfnc4/DILxMVqR9xqK1s98d6Ob/+
3wHFK+S7BRWrJQXcM8veAexXuk9lHQ+FgGfD0eSYGz0kyP26Qa2pLTwumjt+nBPl
rfJxaLHwTQ/1988G0H35ED0f9Md5fzoKi5evU1wG5WRxdEUPyt3QUXxdQ69i0C+7
—–END CERTIFICATE REQUEST—–
Generating a CSR for a Wildcard Certificate
Not sure what to do? Well, just keep in mind that while generating a CSR for a Wildcard certificate, the common name must ALWAYS start with an asterisk (*) for example: *.abc.com). In this way, the Asterisk character (*) – which is sometimes known as a wildcard character –can be utilized for any name later on.
Want to Decode a CSR? We’re here to help!
In order to ensure a smooth process, it is recommended that you check each and every detail before finally submitting your organization information.
Now that you know that a CSR Format is encoded data containing information sent to a CA, once you receive it, have you thought of how are you going to decode it?
Well, there are a few tools online which help you decode the CSR such as the CSR Decoder, that not only enables you to decode your CSR but also verifies all the details provided, therefore ensuring a smooth process.
The CSR Generation process can get a lot more technical, and the methods to do so varies from one server to another. Therefore, if you seem all blank and are not sure of your next steps, you can go through our SSL CSR Generator Guide, specially curated to help you generate your CSR effortlessly.
